23542300x80000000000000002383230Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:29.200{9A05EE67-1F89-6051-4021-00000000B001}19804NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DADD767446A14FF3A37E15B80E0B31E,SHA256=D8DF1FA2F381F9AA163738C653C11AF75E73F5ECE3CEF9CB201DD6B6572F0375,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002383241Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.432{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383240Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.432{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383239Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.432{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383238Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.432{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383237Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.432{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383236Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.432{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383235Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.432{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383234Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.432{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 354300x80000000000000002383233Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:29.870{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25297-false10.0.1.12-8000- 354300x80000000000000002383248Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:30.808{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25299-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local389ldap 354300x80000000000000002383247Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:30.808{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25299-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local389ldap 354300x80000000000000002383246Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:30.067{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-622.attackrange.local25298-false10.0.1.14win-dc-622.attackrange.local64327- 354300x80000000000000002383245Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:30.067{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25298-false10.0.1.14win-dc-622.attackrange.local64327- 10341000x80000000000000002383244Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:32.297{9A05EE67-DA3B-6050-2900-00000000B001}261219680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\mswsock.dll+14729|C:\Windows\System32\WS2_32.dll+2a103|C:\Windows\System32\WS2_32.dll+2a01c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+800818|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+83fcfe|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.ServiceModel\595b2406c071095f7301a6d37a9e77bd\System.ServiceModel.ni.dll+11dce8f|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+58670|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+52225|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+4d930|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+4d816|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+4d5dc|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+519fc|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+56326|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+570e6|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+5739e|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+56803|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+56121|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+56bb8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\0a21e2e771673eaddf55cd08eb990345\System.ServiceModel.Internals.ni.dll+ffc2000d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+310906|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e150e12dedbd1a8eb71660b9680a9ae7\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e150e12dedbd1a8eb71660b9680a9ae7\mscorlib.ni.dll+58dd95 10341000x80000000000000002383243Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:32.261{9A05EE67-DA3B-6050-2900-00000000B001}261219680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\mswsock.dll+14729|C:\Windows\System32\WS2_32.dll+2a103|C:\Windows\System32\WS2_32.dll+2a01c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+800818|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+83fcfe|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.ServiceModel\595b2406c071095f7301a6d37a9e77bd\System.ServiceModel.ni.dll+11dce8f|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+58670|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+52225|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+4d930|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+4d816|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+4d5dc|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+519fc|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+56326|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+570e6|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+5739e|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+56803|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+56121|C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\5664f7867dcb750750669fe8cbe4124c\SMSvcHost.ni.exe+56bb8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\0a21e2e771673eaddf55cd08eb990345\System.ServiceModel.Internals.ni.dll+ffc2000d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+310906|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e150e12dedbd1a8eb71660b9680a9ae7\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e150e12dedbd1a8eb71660b9680a9ae7\mscorlib.ni.dll+58dd95 23542300x80000000000000002383242Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:32.042{9A05EE67-1F89-6051-4021-00000000B001}19804NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36D02BC5EBDF3AC0F0819DDCA955A924,SHA256=84DBC8EA397744BC65B142AB4E8E2FBED1C938762340BBD280EC04E7B9F40312,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002383254Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.953{9A05EE67-DA3B-6050-2900-00000000B001}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exeNT AUTHORITY\LOCAL SERVICEtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25301-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local808- 354300x80000000000000002383253Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.953{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25301-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local808- 354300x80000000000000002383252Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.926{9A05EE67-DA3B-6050-2900-00000000B001}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exeNT AUTHORITY\LOCAL SERVICEtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25300-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local808- 354300x80000000000000002383251Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:31.926{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25300-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local808- 10341000x80000000000000002383250Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:33.229{9A05EE67-DA28-6050-0B00-00000000B001}85215708C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\kerberos.DLL+8cb5a|C:\Windows\system32\kerberos.DLL+42a18|C:\Windows\system32\kerberos.DLL+40fbb|C:\Windows\system32\kerberos.DLL+148cf|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002383249Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:33.229{9A05EE67-DA28-6050-0B00-00000000B001}85215708C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002383258Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:32.895{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-622.attackrange.local25303-true0:0:0:0:0:0:0:1win-dc-622.attackrange.local443https 354300x80000000000000002383257Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:32.895{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-622.attackrange.local25303-true0:0:0:0:0:0:0:1win-dc-622.attackrange.local443https 354300x80000000000000002383256Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:32.886{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse127.0.0.1win-dc-622.attackrange.local25302-false127.0.0.1win-dc-622.attackrange.local443https 354300x80000000000000002383255Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:32.886{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruefalse127.0.0.1win-dc-622.attackrange.local25302-false127.0.0.1win-dc-622.attackrange.local443https 23542300x80000000000000002383533Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.979{9A05EE67-1F89-6051-4021-00000000B001}19804NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=819E0A976F5FF6A1BA10A8D74E969EFE,SHA256=A06426A420B2B353EAF5A64A17649DFFBC71C5539D735DDD33825E133510A7E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002383532Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-CA21-00000000B001}25052C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383531Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-CA21-00000000B001}25052C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383530Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C921-00000000B001}16536C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383529Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C921-00000000B001}16536C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383528Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C821-00000000B001}21956C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383527Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C821-00000000B001}21956C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383526Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C721-00000000B001}23524C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383525Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C721-00000000B001}23524C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383524Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C621-00000000B001}10816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383523Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C621-00000000B001}10816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383522Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C521-00000000B001}5244C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383521Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C521-00000000B001}5244C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383520Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20A0-6051-A621-00000000B001}15716C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383519Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20A0-6051-A621-00000000B001}15716C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383518Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-202A-6051-7E21-00000000B001}4240C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383517Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-202A-6051-7E21-00000000B001}4240C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383516Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F89-6051-4021-00000000B001}19804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383515Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F89-6051-4021-00000000B001}19804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383514Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383513Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383512Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F7A-6051-0D21-00000000B001}23396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383511Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F7A-6051-0D21-00000000B001}23396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383510Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383509Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383508Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1D10-6051-7820-00000000B001}20976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383507Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1D10-6051-7820-00000000B001}20976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383506Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383505Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383504Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1BDC-6051-3420-00000000B001}11392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383503Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1BDC-6051-3420-00000000B001}11392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383502Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1936-6051-B71F-00000000B001}17872C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383501Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1936-6051-B71F-00000000B001}17872C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383500Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD4A-6050-6C1A-00000000B001}24580C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383499Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD4A-6050-6C1A-00000000B001}24580C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383498Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD16-6050-571A-00000000B001}9584C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383497Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD16-6050-571A-00000000B001}9584C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383496Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD16-6050-561A-00000000B001}24120C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383495Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD16-6050-561A-00000000B001}24120C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383494Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD15-6050-551A-00000000B001}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383493Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD15-6050-551A-00000000B001}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383492Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD15-6050-541A-00000000B001}18620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383491Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD15-6050-541A-00000000B001}18620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383490Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD13-6050-531A-00000000B001}22004C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383489Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD13-6050-531A-00000000B001}22004C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383488Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383487Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383486Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-ED20-6050-6117-00000000B001}21992C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383485Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-ED20-6050-6117-00000000B001}21992C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383484Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383483Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383482Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383481Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383480Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383479Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383478Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383477Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383476Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383475Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383474Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383473Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383472Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383471Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383470Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383469Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383468Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383467Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383466Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383465Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383464Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383463Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383462Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383461Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383460Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383459Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383458Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8B2-6050-4716-00000000B001}11216C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMRecovery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383457Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8B2-6050-4716-00000000B001}11216C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMRecovery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383456Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8B0-6050-4416-00000000B001}11464C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383455Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8B0-6050-4416-00000000B001}11464C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383454Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AD-6050-4316-00000000B001}12744C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383453Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AD-6050-4316-00000000B001}12744C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383452Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383451Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383450Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AC-6050-4116-00000000B001}13236C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383449Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AC-6050-4116-00000000B001}13236C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383448Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383447Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383446Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383445Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383444Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E893-6050-2516-00000000B001}12676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383443Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E893-6050-2516-00000000B001}12676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383442Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E893-6050-2416-00000000B001}11244C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383441Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E893-6050-2416-00000000B001}11244C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383440Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E891-6050-2316-00000000B001}11696C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383439Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E891-6050-2316-00000000B001}11696C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383438Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1F16-00000000B001}4832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383437Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1F16-00000000B001}4832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383436Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1E16-00000000B001}13088C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383435Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1E16-00000000B001}13088C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383434Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1D16-00000000B001}4956C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383433Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1D16-00000000B001}4956C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383432Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383431Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383430Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383429Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383428Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E87A-6050-1716-00000000B001}13144C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383427Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E87A-6050-1716-00000000B001}13144C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383426Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383425Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383424Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383423Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383422Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86F-6050-1216-00000000B001}12292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383421Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86F-6050-1216-00000000B001}12292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383420Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383419Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383418Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383417Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383416Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383415Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383414Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E864-6050-0616-00000000B001}12120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383413Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E864-6050-0616-00000000B001}12120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383412Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383411Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383410Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383409Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383408Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E85A-6050-F915-00000000B001}11772C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383407Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E85A-6050-F915-00000000B001}11772C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383406Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E85A-6050-F815-00000000B001}11708C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383405Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E85A-6050-F815-00000000B001}11708C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383404Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383403Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383402Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E854-6050-E715-00000000B001}12284C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383401Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E854-6050-E715-00000000B001}12284C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383400Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E851-6050-D915-00000000B001}11424C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383399Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E851-6050-D915-00000000B001}11424C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383398Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383397Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383396Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E84F-6050-D515-00000000B001}9252C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383395Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E84F-6050-D515-00000000B001}9252C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383394Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383393Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383392Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383391Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383390Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E83F-6050-7C15-00000000B001}5876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383389Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E83F-6050-7C15-00000000B001}5876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383388Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383387Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383386Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383385Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383384Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383383Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383382Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383381Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383380Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383379Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383378Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383377Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383376Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383375Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383374Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383373Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383372Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383371Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383370Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383369Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383368Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383367Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383366Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383365Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383364Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383363Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383362Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383361Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383360Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E750-6050-0E13-00000000B001}8088C:\Windows\system32\inetsrv\inetinfo.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383359Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E750-6050-0E13-00000000B001}8088C:\Windows\system32\inetsrv\inetinfo.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383358Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E555-6050-DF0C-00000000B001}9164C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383357Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E555-6050-DF0C-00000000B001}9164C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383356Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383355Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383354Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383353Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383352Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383351Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383350Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383349Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383348Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383347Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383346Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E30D-6050-F507-00000000B001}6040C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383345Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E30D-6050-F507-00000000B001}6040C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383344Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E30C-6050-F407-00000000B001}5104C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383343Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E30C-6050-F407-00000000B001}5104C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383342Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DFE8-6050-5902-00000000B001}3204C:\Windows\system32\inetsrv\wmsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383341Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DFE8-6050-5902-00000000B001}3204C:\Windows\system32\inetsrv\wmsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383340Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAB6-6050-A800-00000000B001}5792C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383339Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAB6-6050-A800-00000000B001}5792C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383338Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA4-6050-9C00-00000000B001}5232C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383337Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA4-6050-9C00-00000000B001}5232C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383336Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA4-6050-9B00-00000000B001}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383335Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA4-6050-9B00-00000000B001}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383334Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA3-6050-9A00-00000000B001}4712C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383333Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA3-6050-9A00-00000000B001}4712C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383332Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA2-6050-9400-00000000B001}2476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383331Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA2-6050-9400-00000000B001}2476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383330Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA2-6050-9100-00000000B001}4980C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383329Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA2-6050-9100-00000000B001}4980C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383328Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA0-6050-8E00-00000000B001}1168C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383327Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA0-6050-8E00-00000000B001}1168C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383326Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA0-6050-8C00-00000000B001}4796C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383325Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA0-6050-8C00-00000000B001}4796C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383324Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3D-6050-4700-00000000B001}4260C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383323Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3D-6050-4700-00000000B001}4260C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383322Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3D-6050-4200-00000000B001}4152C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383321Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3D-6050-4200-00000000B001}4152C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383320Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3C-6050-3800-00000000B001}3756C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383319Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3C-6050-3800-00000000B001}3756C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383318Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3C-6050-3600-00000000B001}3636C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383317Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3C-6050-3600-00000000B001}3636C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383316Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3300-00000000B001}2160C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383315Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3300-00000000B001}2160C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383314Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3200-00000000B001}2204C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383313Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3200-00000000B001}2204C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383312Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383311Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383310Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2F00-00000000B001}2468C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383309Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2F00-00000000B001}2468C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383308Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2E00-00000000B001}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383307Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2E00-00000000B001}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383306Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2D00-00000000B001}2780C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383305Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2D00-00000000B001}2780C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383304Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2C00-00000000B001}2736C:\Windows\system32\mqsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383303Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2C00-00000000B001}2736C:\Windows\system32\mqsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383302Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2B00-00000000B001}2488C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383301Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2B00-00000000B001}2488C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383300Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2A00-00000000B001}2656C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383299Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2A00-00000000B001}2656C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383298Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2900-00000000B001}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383297Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2900-00000000B001}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383296Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2800-00000000B001}2620C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383295Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2800-00000000B001}2620C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383294Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2600-00000000B001}1928C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383293Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2600-00000000B001}1928C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383292Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2500-00000000B001}2140C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383291Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2500-00000000B001}2140C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383290Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA35-6050-2300-00000000B001}2932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383289Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA35-6050-2300-00000000B001}2932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383288Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2C-6050-2100-00000000B001}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383287Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2C-6050-2100-00000000B001}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383286Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1700-00000000B001}1784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383285Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1700-00000000B001}1784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383284Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1600-00000000B001}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383283Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1600-00000000B001}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383282Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1500-00000000B001}1476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383281Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1500-00000000B001}1476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383280Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1400-00000000B001}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383279Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1400-00000000B001}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383278Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1300-00000000B001}1224C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383277Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1300-00000000B001}1224C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383276Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1200-00000000B001}1200C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383275Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1200-00000000B001}1200C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383274Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1100-00000000B001}1152C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383273Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1100-00000000B001}1152C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383272Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1000-00000000B001}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383271Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1000-00000000B001}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383270Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0F00-00000000B001}1112C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383269Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0F00-00000000B001}1112C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383268Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0E00-00000000B001}1064C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383267Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0E00-00000000B001}1064C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383266Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0D00-00000000B001}624C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383265Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0D00-00000000B001}624C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383264Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0C00-00000000B001}584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383263Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0C00-00000000B001}584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383262Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383261Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383260Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA28-6050-0900-00000000B001}792C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002383259Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.620{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA28-6050-0900-00000000B001}792C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002383546Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.979{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-1D10-6051-7820-00000000B001}20976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+602a3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383545Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.964{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-2598-6051-7823-00000000B001}20636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383544Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.964{9A05EE67-2598-6051-7823-00000000B001}206364816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+5f6845|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+5f6376|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+55bea|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+560eb|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+8db654|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383543Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.903{9A05EE67-DA28-6050-0B00-00000000B001}852588C:\Windows\system32\lsass.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383542Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.903{9A05EE67-DA28-6050-0B00-00000000B001}852588C:\Windows\system32\lsass.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383541Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.714{9A05EE67-1F7A-6051-0D21-00000000B001}233964636C:\Windows\system32\conhost.exe{9A05EE67-2598-6051-7823-00000000B001}20636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383540Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.714{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383539Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.714{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383538Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.714{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383537Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.714{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383536Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.714{9A05EE67-DA28-6050-0500-00000000B001}636652C:\Windows\system32\csrss.exe{9A05EE67-2598-6051-7823-00000000B001}20636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002383535Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.714{9A05EE67-1F79-6051-0921-00000000B001}2615225328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9A05EE67-2598-6051-7823-00000000B001}20636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002383534Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.715{9A05EE67-2598-6051-7823-00000000B001}20636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe8.0.2Monitor windows hostsplunk ApplicationSplunk Inc.splunk-winhostmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9A05EE67-DA29-6050-E703-000000000000}0x3e70SystemMD5=6905A24BF9B6295BD2422337204977D6,SHA256=2B86EC7EBCE7C0A3A77BA1A9B60B67BDA07778DF9E33E89065460BA059BC5A64,IMPHASH=B8203BDD5C47E5110CE749A0AD73B071{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002383559Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.979{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-2599-6051-7923-00000000B001}19308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383558Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.979{9A05EE67-2599-6051-7923-00000000B001}1930823580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+5f6845|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+5f6376|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+55bea|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+560eb|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe+8db654|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383557Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.776{9A05EE67-DA28-6050-0B00-00000000B001}852588C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\kerberos.DLL+8cb5a|C:\Windows\system32\kerberos.DLL+42a18|C:\Windows\system32\kerberos.DLL+40fbb|C:\Windows\system32\kerberos.DLL+148cf|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000002383556Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.776{9A05EE67-DA28-6050-0B00-00000000B001}852588C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002383555Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.729{9A05EE67-1F7A-6051-0D21-00000000B001}233964636C:\Windows\system32\conhost.exe{9A05EE67-2599-6051-7923-00000000B001}19308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383554Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.729{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383553Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.729{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383552Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.729{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383551Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.729{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383550Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.729{9A05EE67-DA28-6050-0500-00000000B001}636652C:\Windows\system32\csrss.exe{9A05EE67-2599-6051-7923-00000000B001}19308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002383549Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.729{9A05EE67-1F79-6051-0921-00000000B001}2615225328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9A05EE67-2599-6051-7923-00000000B001}19308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002383548Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.733{9A05EE67-2599-6051-7923-00000000B001}19308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe8.0.2Monitor windows hostsplunk ApplicationSplunk Inc.splunk-winhostmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9A05EE67-DA29-6050-E703-000000000000}0x3e70SystemMD5=6905A24BF9B6295BD2422337204977D6,SHA256=2B86EC7EBCE7C0A3A77BA1A9B60B67BDA07778DF9E33E89065460BA059BC5A64,IMPHASH=B8203BDD5C47E5110CE749A0AD73B071{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002383547Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:35.745{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25304-false10.0.1.12-8000- 23542300x80000000000000002383705Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.542{9A05EE67-1F89-6051-4021-00000000B001}19804NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98A84C9C6A0F3EA4B8F055594D355D8A,SHA256=2C764F9730BECEF93C5DE327237CBAB54BA1404F146DD4CBFFF5F59F1FF8AA6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002383704Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.568{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-622.attackrange.local25307-false10.0.1.14win-dc-622.attackrange.local389ldap 354300x80000000000000002383703Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.568{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25307-false10.0.1.14win-dc-622.attackrange.local389ldap 354300x80000000000000002383702Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.564{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-622.attackrange.local25306-false10.0.1.14win-dc-622.attackrange.local389ldap 354300x80000000000000002383701Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.564{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25306-false10.0.1.14win-dc-622.attackrange.local389ldap 354300x80000000000000002383700Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.560{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-622.attackrange.local25305-false10.0.1.14win-dc-622.attackrange.local389ldap 354300x80000000000000002383699Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:36.560{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25305-false10.0.1.14win-dc-622.attackrange.local389ldap 10341000x80000000000000002383698Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.099{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-2599-6051-7923-00000000B001}19308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383697Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.099{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-2598-6051-7823-00000000B001}20636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383696Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.098{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-CA21-00000000B001}25052C:\Windows\system32\nslookup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383695Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.098{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-C921-00000000B001}16536C:\Windows\system32\nslookup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383694Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.097{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-C821-00000000B001}21956C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383693Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.097{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-C721-00000000B001}23524C:\Windows\SYSTEM32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383692Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.096{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-C621-00000000B001}10816C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383691Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.095{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-C521-00000000B001}5244C:\Windows\SYSTEM32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383690Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.095{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20A0-6051-A621-00000000B001}15716C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383689Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.094{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-202A-6051-7E21-00000000B001}4240C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383688Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.093{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1F89-6051-4021-00000000B001}19804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383687Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.093{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1F87-6051-3C21-00000000B001}12216C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383686Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.092{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383685Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.092{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1F7A-6051-0D21-00000000B001}23396C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383684Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.091{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383683Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.090{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383682Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.090{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1BDC-6051-3420-00000000B001}11392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383681Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.089{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1936-6051-B71F-00000000B001}17872C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383680Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.089{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD4A-6050-6C1A-00000000B001}24580C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383679Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD16-6050-571A-00000000B001}9584C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383678Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD16-6050-561A-00000000B001}24120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383677Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD15-6050-551A-00000000B001}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383676Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD15-6050-541A-00000000B001}18620C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383675Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD13-6050-531A-00000000B001}22004C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383674Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383673Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-ED20-6050-6117-00000000B001}21992C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383672Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383671Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383670Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383669Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383668Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383667Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383666Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383665Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383664Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383663Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383662Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383661Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383660Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383659Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8B2-6050-4716-00000000B001}11216C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMRecovery.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383658Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8B0-6050-4416-00000000B001}11464C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383657Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8AD-6050-4316-00000000B001}12744C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383656Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383655Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8AC-6050-4116-00000000B001}13236C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383654Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383653Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383652Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.073{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E893-6050-2516-00000000B001}12676C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383651Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E893-6050-2416-00000000B001}11244C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383650Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E891-6050-2316-00000000B001}11696C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383649Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E889-6050-1F16-00000000B001}4832C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383648Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E889-6050-1E16-00000000B001}13088C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383647Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E889-6050-1D16-00000000B001}4956C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383646Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383645Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383644Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E87A-6050-1716-00000000B001}13144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383643Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383642Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383641Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E86F-6050-1216-00000000B001}12292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383640Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383639Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383638Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383637Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E864-6050-0616-00000000B001}12120C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383636Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383635Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383634Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E85A-6050-F915-00000000B001}11772C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383633Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E85A-6050-F815-00000000B001}11708C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383632Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383631Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E854-6050-E715-00000000B001}12284C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383630Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E851-6050-D915-00000000B001}11424C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383629Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383628Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E84F-6050-D515-00000000B001}9252C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383627Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383626Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383625Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E83F-6050-7C15-00000000B001}5876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383624Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383623Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383622Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.057{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383621Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383620Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383619Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383618Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383617Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383616Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383615Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383614Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383613Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383612Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383611Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383610Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E750-6050-0E13-00000000B001}8088C:\Windows\system32\inetsrv\inetinfo.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383609Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E555-6050-DF0C-00000000B001}9164C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383608Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383607Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383606Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383605Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383604Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383603Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E30D-6050-F507-00000000B001}6040C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383602Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E30C-6050-F407-00000000B001}5104C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383601Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DFE8-6050-5902-00000000B001}3204C:\Windows\system32\inetsrv\wmsvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383600Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAB6-6050-A800-00000000B001}5792C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383599Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA4-6050-9C00-00000000B001}5232C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383598Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA4-6050-9B00-00000000B001}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383597Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA3-6050-9A00-00000000B001}4712C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383596Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.042{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA2-6050-9400-00000000B001}2476C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383595Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA2-6050-9100-00000000B001}4980C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383594Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA0-6050-8E00-00000000B001}1168C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383593Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA0-6050-8C00-00000000B001}4796C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383592Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3D-6050-4700-00000000B001}4260C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383591Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3D-6050-4200-00000000B001}4152C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383590Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3C-6050-3800-00000000B001}3756C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383589Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3C-6050-3600-00000000B001}3636C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383588Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-3300-00000000B001}2160C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383587Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-3200-00000000B001}2204C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383586Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383585Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2F00-00000000B001}2468C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383584Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2E00-00000000B001}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383583Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2D00-00000000B001}2780C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383582Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2C00-00000000B001}2736C:\Windows\system32\mqsvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383581Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2B00-00000000B001}2488C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383580Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2A00-00000000B001}2656C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383579Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2900-00000000B001}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383578Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2800-00000000B001}2620C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383577Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2600-00000000B001}1928C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383576Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2500-00000000B001}2140C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383575Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA35-6050-2300-00000000B001}2932C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383574Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA2C-6050-2100-00000000B001}2400C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383573Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA2B-6050-1700-00000000B001}1784C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383572Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA2B-6050-1600-00000000B001}1536C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383571Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA2B-6050-1500-00000000B001}1476C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383570Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA2B-6050-1400-00000000B001}1232C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383569Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA2B-6050-1300-00000000B001}1224C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383568Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA2B-6050-1200-00000000B001}1200C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383567Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.026{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA2B-6050-1100-00000000B001}1152C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383566Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.010{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA2B-6050-1000-00000000B001}1144C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383565Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.010{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA2B-6050-0F00-00000000B001}1112C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383564Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.010{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA2B-6050-0E00-00000000B001}1064C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383563Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.010{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA2B-6050-0D00-00000000B001}624C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383562Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.010{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA2B-6050-0C00-00000000B001}584C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383561Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.010{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002383560Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:38.010{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA28-6050-0900-00000000B001}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 354300x80000000000000002383713Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.437{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25310-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local389ldap 354300x80000000000000002383712Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.437{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25310-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local389ldap 354300x80000000000000002383711Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.434{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25309-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local389ldap 354300x80000000000000002383710Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.434{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25309-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local389ldap 354300x80000000000000002383709Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.433{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse127.0.0.1win-dc-622.attackrange.local25308-false127.0.0.1win-dc-622.attackrange.local443https 354300x80000000000000002383708Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:37.433{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruefalse127.0.0.1win-dc-622.attackrange.local25308-false127.0.0.1win-dc-622.attackrange.local443https 18141800x80000000000000002383707Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-ConnectPipe2021-03-16 21:39:39.354{9A05EE67-E758-6050-1313-00000000B001}5828\b0a9dfbd-e28e-4fe8-be74-335074a102bcC:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe 18141800x80000000000000002383706Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-ConnectPipe2021-03-16 21:39:39.354{9A05EE67-E758-6050-1313-00000000B001}5828\b0a9dfbd-e28e-4fe8-be74-335074a102bcC:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe 10341000x80000000000000002384497Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384496Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384495Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384494Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384493Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384492Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384491Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384490Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384489Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384488Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384487Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384486Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384485Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384484Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384483Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384482Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384481Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384480Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384479Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384478Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.667{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384477Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384476Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384475Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384474Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384473Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384472Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384471Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384470Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384469Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384468Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384467Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384466Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384465Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384464Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384463Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384462Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384461Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384460Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384459Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384458Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384457Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384456Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384455Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384454Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384453Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384452Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384451Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384450Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384449Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384448Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384447Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384446Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384445Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384444Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384443Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384442Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384441Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384440Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384439Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384438Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384437Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384436Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384435Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384434Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384433Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384432Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384431Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384430Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384429Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384428Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384427Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384426Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384425Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384424Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384423Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384422Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384421Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384420Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384419Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384418Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384417Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384416Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384415Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384414Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384413Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384412Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384411Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384410Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384409Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384408Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384407Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384406Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384405Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384404Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384403Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384402Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384401Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384400Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384399Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384398Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384397Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384396Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384395Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384394Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384393Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384392Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384391Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384390Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384389Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384388Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384387Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384386Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384385Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384384Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384383Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384382Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384381Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384380Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384379Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384378Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384377Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384376Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384375Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384374Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384373Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384372Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384371Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384370Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384369Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384368Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384367Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384366Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384365Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384364Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384363Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384362Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384361Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384360Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384359Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384358Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384357Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384356Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384355Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384354Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384353Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384352Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384351Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384350Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384349Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384348Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384347Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384346Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384345Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384344Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384343Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384342Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384341Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384340Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384339Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384338Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384337Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384336Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384335Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384334Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384333Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384332Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384331Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384330Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384329Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384328Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384327Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384326Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384325Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384324Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384323Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384322Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384321Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384320Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384319Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384318Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384317Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384316Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384315Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384314Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384313Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384312Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384311Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384310Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384309Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384308Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384307Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384306Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384305Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384304Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384303Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384302Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384301Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384300Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384299Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384298Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384297Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384296Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384295Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384294Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384293Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384292Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384291Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384290Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384289Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384288Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384287Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384286Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384285Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384284Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384283Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384282Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384281Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384280Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384279Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384278Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384277Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384276Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384275Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384274Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384273Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384272Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384271Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384270Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384269Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384268Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384267Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384266Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384265Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384264Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384263Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384262Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384261Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384260Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384259Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384258Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384257Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384256Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384255Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384254Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384253Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384252Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384251Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384250Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384249Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384248Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384247Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384246Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384245Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384244Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384243Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384242Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384241Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384240Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384239Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384238Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384237Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384236Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384235Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384234Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384233Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384232Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384231Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384230Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384229Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384228Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384227Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384226Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384225Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384224Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384223Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384222Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384221Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384220Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384219Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384218Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384217Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384216Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384215Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384214Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384213Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384212Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384211Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384210Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384209Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384208Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384207Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384206Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384205Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384204Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384203Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384202Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384201Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384200Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384199Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384198Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384197Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384196Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384195Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384194Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384193Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384192Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384191Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384190Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384189Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384188Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384187Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384186Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E889-6050-1E16-00000000B001}13088C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384185Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E889-6050-1D16-00000000B001}4956C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384184Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E893-6050-2416-00000000B001}11244C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384183Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E891-6050-2316-00000000B001}11696C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384182Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384181Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384180Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384179Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384178Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384177Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384176Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384175Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384174Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384173Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384172Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384171Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384170Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384169Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384168Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384167Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384166Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384165Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384164Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384163Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384162Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384161Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384160Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384159Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384158Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384157Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384156Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384155Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384154Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384153Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384152Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384151Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384150Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384149Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384148Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384147Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384146Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384145Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384144Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384143Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384142Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384141Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384140Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384139Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384138Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384137Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384136Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384135Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384134Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384133Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384132Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384131Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384130Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384129Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384128Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384127Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384126Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384125Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384124Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384123Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384122Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384121Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384120Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384119Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384118Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384117Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384116Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384115Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384114Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384113Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384112Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384111Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384110Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384109Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384108Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384107Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384106Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384105Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384104Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384103Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384102Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384101Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384100Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384099Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384098Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384097Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384096Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384095Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384094Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384093Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384092Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384091Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384090Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384089Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384088Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384087Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384086Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384085Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384084Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384083Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384082Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384081Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384080Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384079Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384078Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384077Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384076Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384075Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384074Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384073Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384072Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384071Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384070Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384069Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384068Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384067Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384066Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384065Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384064Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384063Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384062Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384061Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384060Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384059Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384058Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384057Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384056Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384055Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384054Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384053Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384052Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384051Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384050Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384049Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384048Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384047Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384046Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384045Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384044Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384043Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384042Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384041Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384040Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384039Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384038Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384037Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384036Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384035Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384034Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384033Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384032Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384031Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384030Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384029Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384028Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384027Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.620{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384026Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384025Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384024Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384023Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384022Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384021Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384020Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384019Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384018Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384017Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384016Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384015Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384014Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384013Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384012Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384011Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384010Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384009Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384008Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384007Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384006Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384005Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384004Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384003Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384002Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384001Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384000Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383999Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383998Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383997Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383996Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383995Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-CA21-00000000B001}25052C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383994Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-CA21-00000000B001}25052C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383993Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C921-00000000B001}16536C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383992Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C921-00000000B001}16536C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383991Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.603{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C821-00000000B001}21956C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383990Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.602{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C821-00000000B001}21956C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383989Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.602{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C721-00000000B001}23524C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383988Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.602{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C721-00000000B001}23524C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383987Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.602{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C621-00000000B001}10816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383986Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.602{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C621-00000000B001}10816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383985Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.602{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C521-00000000B001}5244C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383984Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.602{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C521-00000000B001}5244C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383983Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.602{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-20A0-6051-A621-00000000B001}15716C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383982Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.601{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-20A0-6051-A621-00000000B001}15716C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383981Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.601{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-202A-6051-7E21-00000000B001}4240C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383980Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.601{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-202A-6051-7E21-00000000B001}4240C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383979Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.601{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1F89-6051-4021-00000000B001}19804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383978Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.601{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1F89-6051-4021-00000000B001}19804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383977Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.601{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1F87-6051-3C21-00000000B001}12216C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383976Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.601{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1F87-6051-3C21-00000000B001}12216C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383975Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.601{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383974Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.601{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383973Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.600{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1F7A-6051-0D21-00000000B001}23396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383972Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.600{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1F7A-6051-0D21-00000000B001}23396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383971Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.600{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383970Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.600{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383969Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.600{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1D10-6051-7820-00000000B001}20976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383968Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.600{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1D10-6051-7820-00000000B001}20976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383967Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.600{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383966Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.600{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383965Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.599{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1BDC-6051-3420-00000000B001}11392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383964Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.599{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1BDC-6051-3420-00000000B001}11392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383963Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.599{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1936-6051-B71F-00000000B001}17872C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383962Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.599{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-1936-6051-B71F-00000000B001}17872C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383961Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.599{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-FD4A-6050-6C1A-00000000B001}24580C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383960Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.599{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-FD4A-6050-6C1A-00000000B001}24580C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383959Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.598{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-FD16-6050-571A-00000000B001}9584C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383958Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.598{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-FD16-6050-571A-00000000B001}9584C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383957Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.598{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-FD16-6050-561A-00000000B001}24120C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383956Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.598{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-FD16-6050-561A-00000000B001}24120C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383955Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.598{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-FD15-6050-551A-00000000B001}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383954Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.598{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-FD15-6050-551A-00000000B001}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383953Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.598{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-FD15-6050-541A-00000000B001}18620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383952Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.597{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-FD15-6050-541A-00000000B001}18620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383951Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.597{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-FD13-6050-531A-00000000B001}22004C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383950Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.597{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-FD13-6050-531A-00000000B001}22004C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383949Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.597{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383948Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.597{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383947Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.597{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED20-6050-6117-00000000B001}21992C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383946Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.597{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED20-6050-6117-00000000B001}21992C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383945Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.597{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383944Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.597{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383943Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.596{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383942Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.596{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383941Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.596{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383940Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.596{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383939Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.596{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383938Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.596{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383937Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.596{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383936Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.596{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383935Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.596{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383934Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.595{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383933Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.595{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383932Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.595{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383931Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.595{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383930Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.595{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383929Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.595{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383928Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.595{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383927Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.595{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383926Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.594{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383925Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.594{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383924Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.594{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383923Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.594{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383922Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.594{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383921Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.594{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383920Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.594{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383919Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.594{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8B2-6050-4716-00000000B001}11216C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMRecovery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383918Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.594{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8B2-6050-4716-00000000B001}11216C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMRecovery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383917Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.593{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8B0-6050-4416-00000000B001}11464C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383916Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.593{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8B0-6050-4416-00000000B001}11464C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383915Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.593{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4316-00000000B001}12744C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383914Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.593{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4316-00000000B001}12744C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383913Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.593{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383912Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.593{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383911Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.593{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383910Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.593{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383909Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.592{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383908Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.592{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383907Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.592{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E893-6050-2516-00000000B001}12676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383906Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.592{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E893-6050-2516-00000000B001}12676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383905Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.592{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E893-6050-2416-00000000B001}11244C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383904Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.592{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E893-6050-2416-00000000B001}11244C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383903Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.592{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E891-6050-2316-00000000B001}11696C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383902Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.592{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E891-6050-2316-00000000B001}11696C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383901Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.592{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E889-6050-1F16-00000000B001}4832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383900Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.591{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E889-6050-1F16-00000000B001}4832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383899Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.591{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E889-6050-1E16-00000000B001}13088C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383898Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.591{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E889-6050-1E16-00000000B001}13088C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383897Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.591{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E889-6050-1D16-00000000B001}4956C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383896Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.591{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E889-6050-1D16-00000000B001}4956C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383895Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.591{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383894Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.591{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383893Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.591{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383892Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.590{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383891Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.590{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E87A-6050-1716-00000000B001}13144C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383890Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.590{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E87A-6050-1716-00000000B001}13144C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383889Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.590{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383888Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.590{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383887Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.590{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383886Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.590{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383885Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.590{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86F-6050-1216-00000000B001}12292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383884Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.589{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86F-6050-1216-00000000B001}12292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383883Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.589{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383882Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.589{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383881Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.589{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383880Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.588{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383879Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.588{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383878Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.588{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383877Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.588{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0616-00000000B001}12120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383876Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.588{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0616-00000000B001}12120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383875Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.588{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383874Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.588{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383873Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383872Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383871Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E85A-6050-F915-00000000B001}11772C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383870Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E85A-6050-F915-00000000B001}11772C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383869Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E85A-6050-F815-00000000B001}11708C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383868Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E85A-6050-F815-00000000B001}11708C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383867Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383866Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383865Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E854-6050-E715-00000000B001}12284C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383864Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E854-6050-E715-00000000B001}12284C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383863Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E851-6050-D915-00000000B001}11424C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383862Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E851-6050-D915-00000000B001}11424C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383861Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383860Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383859Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E84F-6050-D515-00000000B001}9252C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383858Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E84F-6050-D515-00000000B001}9252C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383857Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383856Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383855Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383854Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383853Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E83F-6050-7C15-00000000B001}5876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383852Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E83F-6050-7C15-00000000B001}5876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383851Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383850Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383849Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383848Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383847Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383846Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383845Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383844Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383843Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383842Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383841Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383840Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383839Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383838Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383837Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383836Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383835Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383834Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383833Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383832Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383831Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383830Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383829Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383828Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383827Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383826Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383825Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383824Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383823Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0E13-00000000B001}8088C:\Windows\system32\inetsrv\inetinfo.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383822Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0E13-00000000B001}8088C:\Windows\system32\inetsrv\inetinfo.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383821Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E555-6050-DF0C-00000000B001}9164C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383820Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E555-6050-DF0C-00000000B001}9164C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383819Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383818Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383817Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383816Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383815Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383814Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383813Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383812Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383811Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383810Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383809Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E30D-6050-F507-00000000B001}6040C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383808Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E30D-6050-F507-00000000B001}6040C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383807Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E30C-6050-F407-00000000B001}5104C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383806Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E30C-6050-F407-00000000B001}5104C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383805Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DFE8-6050-5902-00000000B001}3204C:\Windows\system32\inetsrv\wmsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383804Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DFE8-6050-5902-00000000B001}3204C:\Windows\system32\inetsrv\wmsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383803Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DAB6-6050-A800-00000000B001}5792C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383802Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DAB6-6050-A800-00000000B001}5792C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383801Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DAA4-6050-9C00-00000000B001}5232C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383800Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DAA4-6050-9C00-00000000B001}5232C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383799Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DAA4-6050-9B00-00000000B001}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383798Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DAA4-6050-9B00-00000000B001}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383797Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DAA3-6050-9A00-00000000B001}4712C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383796Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DAA3-6050-9A00-00000000B001}4712C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383795Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DAA2-6050-9400-00000000B001}2476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383794Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DAA2-6050-9400-00000000B001}2476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383793Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DAA2-6050-9100-00000000B001}4980C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383792Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DAA2-6050-9100-00000000B001}4980C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383791Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DAA0-6050-8E00-00000000B001}1168C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383790Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DAA0-6050-8E00-00000000B001}1168C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383789Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DAA0-6050-8C00-00000000B001}4796C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383788Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DAA0-6050-8C00-00000000B001}4796C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383787Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3D-6050-4700-00000000B001}4260C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383786Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3D-6050-4700-00000000B001}4260C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383785Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3D-6050-4200-00000000B001}4152C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383784Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3D-6050-4200-00000000B001}4152C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383783Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3C-6050-3800-00000000B001}3756C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383782Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3C-6050-3800-00000000B001}3756C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383781Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3C-6050-3600-00000000B001}3636C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383780Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3C-6050-3600-00000000B001}3636C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383779Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-3300-00000000B001}2160C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383778Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-3300-00000000B001}2160C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383777Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-3200-00000000B001}2204C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383776Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-3200-00000000B001}2204C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383775Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383774Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383773Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2F00-00000000B001}2468C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383772Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2F00-00000000B001}2468C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383771Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2E00-00000000B001}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383770Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2E00-00000000B001}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383769Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2D00-00000000B001}2780C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383768Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2D00-00000000B001}2780C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383767Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2C00-00000000B001}2736C:\Windows\system32\mqsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383766Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2C00-00000000B001}2736C:\Windows\system32\mqsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383765Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2B00-00000000B001}2488C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383764Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2B00-00000000B001}2488C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383763Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2A00-00000000B001}2656C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383762Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2A00-00000000B001}2656C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383761Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2900-00000000B001}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383760Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2900-00000000B001}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383759Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2800-00000000B001}2620C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383758Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2800-00000000B001}2620C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383757Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2600-00000000B001}1928C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383756Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2600-00000000B001}1928C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383755Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.573{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2500-00000000B001}2140C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383754Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2500-00000000B001}2140C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383753Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA35-6050-2300-00000000B001}2932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383752Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA35-6050-2300-00000000B001}2932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383751Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2C-6050-2100-00000000B001}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383750Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2C-6050-2100-00000000B001}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383749Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1700-00000000B001}1784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383748Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1700-00000000B001}1784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383747Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1600-00000000B001}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383746Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1600-00000000B001}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383745Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1500-00000000B001}1476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383744Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1500-00000000B001}1476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383743Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1400-00000000B001}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383742Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1400-00000000B001}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383741Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1300-00000000B001}1224C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383740Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1300-00000000B001}1224C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383739Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1200-00000000B001}1200C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383738Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1200-00000000B001}1200C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383737Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1100-00000000B001}1152C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383736Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1100-00000000B001}1152C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383735Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1000-00000000B001}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383734Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1000-00000000B001}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383733Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-0F00-00000000B001}1112C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383732Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-0F00-00000000B001}1112C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383731Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-0E00-00000000B001}1064C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383730Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-0E00-00000000B001}1064C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383729Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-0D00-00000000B001}624C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383728Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-0D00-00000000B001}624C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383727Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-0C00-00000000B001}584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383726Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-0C00-00000000B001}584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383725Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383724Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383723Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA28-6050-0900-00000000B001}792C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383722Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.557{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-DA28-6050-0900-00000000B001}792C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002383721Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.448{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383720Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.448{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383719Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.448{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383718Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.448{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383717Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.448{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383716Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.448{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383715Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.448{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002383714Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.448{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 354300x80000000000000002384500Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:40.808{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25312-false10.0.1.12-8000- 354300x80000000000000002384499Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:40.511{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-622.attackrange.local25311-true0:0:0:0:0:0:0:1win-dc-622.attackrange.local443https 354300x80000000000000002384498Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:40.511{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-622.attackrange.local25311-true0:0:0:0:0:0:0:1win-dc-622.attackrange.local443https 354300x80000000000000002384509Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.729{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-622.attackrange.local25313-false10.0.1.14win-dc-622.attackrange.local587- 354300x80000000000000002384508Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:41.729{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25313-false10.0.1.14win-dc-622.attackrange.local587- 10341000x80000000000000002384507Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:43.620{9A05EE67-DAA3-6050-9A00-00000000B001}47121124C:\Windows\Explorer.EXE{9A05EE67-1BDC-6051-3420-00000000B001}11392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c948|C:\Windows\System32\TwinUI.dll+75f2d|C:\Windows\System32\TwinUI.dll+75b03|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384506Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:43.620{9A05EE67-DAA3-6050-9A00-00000000B001}471217756C:\Windows\Explorer.EXE{9A05EE67-1BDC-6051-3420-00000000B001}11392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384505Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:43.620{9A05EE67-DAA3-6050-9A00-00000000B001}471217756C:\Windows\Explorer.EXE{9A05EE67-1BDC-6051-3420-00000000B001}11392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384504Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:43.603{9A05EE67-DAA3-6050-9A00-00000000B001}47124932C:\Windows\Explorer.EXE{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384503Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:43.603{9A05EE67-DAA3-6050-9A00-00000000B001}47124932C:\Windows\Explorer.EXE{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384502Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:43.603{9A05EE67-DAA3-6050-9A00-00000000B001}47124932C:\Windows\Explorer.EXE{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384501Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:43.603{9A05EE67-DAA3-6050-9A00-00000000B001}47124932C:\Windows\Explorer.EXE{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002384510Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:44.296{9A05EE67-1F89-6051-4021-00000000B001}19804NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4509DFF5C973CDACE9853EAF6D48CF2,SHA256=BF51D782D4B9E9C157B218B5CD220CC90C1A18B0FDFFE9EF168ACB715AC9FDAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002384515Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:43.496{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25314-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local64337- 354300x80000000000000002384514Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:43.496{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25314-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local64337- 23542300x80000000000000002384513Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:45.713{9A05EE67-1F79-6051-0921-00000000B001}26152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=1D085D3BD1E2B813ED31C9643171CEFC,SHA256=E8B63977B9DF715FF12E1AA5B007228D5DDCB6CD90759B660BA70CD7C33B1082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002384512Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:45.213{9A05EE67-1F89-6051-4021-00000000B001}19804NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A31BAD18E4FB8B7FC9630374FFC7E2AC,SHA256=12690B0182E9347E3DEA264DFADA844D0F59E83F311CDE407CF57AC0867414AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002384511Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:45.213{9A05EE67-1F89-6051-4021-00000000B001}19804NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F5705D8CAC352C9CB93C3C5152713D6,SHA256=A9BA06E053D92F68C3EF7EBA52E6A68A04DE4D4DE8FB33E3A794726F3B9597A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002384516Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:45.354{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25315-false10.0.1.12-8089- 10341000x80000000000000002384888Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.213{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384887Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.213{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384886Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.213{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384885Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.213{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384884Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.213{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384883Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.213{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384882Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.213{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384881Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.213{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384880Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384879Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384878Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384877Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384876Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384875Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384874Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384873Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384872Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384871Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384870Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384869Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384868Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384867Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384866Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384865Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384864Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384863Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384862Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384861Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384860Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384859Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384858Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384857Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384856Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384855Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384854Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384853Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384852Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384851Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384850Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384849Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384848Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384847Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384846Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384845Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384844Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384843Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384842Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384841Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384840Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384839Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.203{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384838Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.201{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384837Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.201{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384836Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.200{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384835Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.200{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384834Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.200{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384833Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.200{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384832Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.200{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384831Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.200{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384830Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.200{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384829Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.200{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384828Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.199{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384827Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.199{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384826Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.199{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384825Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.199{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384824Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.199{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384823Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.199{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384822Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.199{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384821Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.199{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384820Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.199{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384819Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.199{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384818Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.199{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384817Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.199{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384816Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.198{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384815Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.198{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384814Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.198{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384813Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.198{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384812Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.198{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384811Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.198{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384810Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.198{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384809Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384808Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384807Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-25A3-6051-7A23-00000000B001}10596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384806Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-25A3-6051-7A23-00000000B001}10596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384805Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-CA21-00000000B001}25052C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384804Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-CA21-00000000B001}25052C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384803Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C921-00000000B001}16536C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384802Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C921-00000000B001}16536C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384801Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C821-00000000B001}21956C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384800Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C821-00000000B001}21956C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384799Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C721-00000000B001}23524C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384798Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C721-00000000B001}23524C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384797Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C621-00000000B001}10816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384796Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C621-00000000B001}10816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384795Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C521-00000000B001}5244C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384794Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-20BB-6051-C521-00000000B001}5244C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384793Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-20A0-6051-A621-00000000B001}15716C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384792Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-20A0-6051-A621-00000000B001}15716C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384791Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-202A-6051-7E21-00000000B001}4240C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384790Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-202A-6051-7E21-00000000B001}4240C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384789Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1F89-6051-4021-00000000B001}19804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384788Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1F89-6051-4021-00000000B001}19804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384787Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1F87-6051-3C21-00000000B001}12216C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384786Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1F87-6051-3C21-00000000B001}12216C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384785Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384784Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384783Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1F7A-6051-0D21-00000000B001}23396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384782Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1F7A-6051-0D21-00000000B001}23396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384781Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384780Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384779Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1D10-6051-7820-00000000B001}20976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384778Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1D10-6051-7820-00000000B001}20976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384777Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384776Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384775Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1BDC-6051-3420-00000000B001}11392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384774Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1BDC-6051-3420-00000000B001}11392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384773Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1936-6051-B71F-00000000B001}17872C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384772Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-1936-6051-B71F-00000000B001}17872C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384771Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-FD4A-6050-6C1A-00000000B001}24580C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384770Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-FD4A-6050-6C1A-00000000B001}24580C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384769Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-FD16-6050-571A-00000000B001}9584C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384768Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-FD16-6050-571A-00000000B001}9584C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384767Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-FD16-6050-561A-00000000B001}24120C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384766Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-FD16-6050-561A-00000000B001}24120C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384765Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-FD15-6050-551A-00000000B001}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384764Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-FD15-6050-551A-00000000B001}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384763Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-FD15-6050-541A-00000000B001}18620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384762Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-FD15-6050-541A-00000000B001}18620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384761Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-FD13-6050-531A-00000000B001}22004C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384760Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-FD13-6050-531A-00000000B001}22004C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384759Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384758Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384757Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-ED20-6050-6117-00000000B001}21992C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384756Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-ED20-6050-6117-00000000B001}21992C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384755Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384754Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384753Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384752Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384751Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384750Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384749Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384748Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384747Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384746Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384745Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384744Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384743Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384742Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384741Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384740Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384739Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384738Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384737Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384736Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384735Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384734Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384733Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384732Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384731Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384730Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384729Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8B2-6050-4716-00000000B001}11216C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMRecovery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384728Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8B2-6050-4716-00000000B001}11216C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMRecovery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384727Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4316-00000000B001}12744C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384726Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4316-00000000B001}12744C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384725Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384724Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384723Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8AC-6050-4116-00000000B001}13236C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384722Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8AC-6050-4116-00000000B001}13236C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384721Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384720Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384719Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384718Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384717Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E893-6050-2516-00000000B001}12676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384716Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E893-6050-2516-00000000B001}12676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384715Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E893-6050-2416-00000000B001}11244C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384714Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E893-6050-2416-00000000B001}11244C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384713Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E891-6050-2316-00000000B001}11696C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384712Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E891-6050-2316-00000000B001}11696C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384711Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E889-6050-1F16-00000000B001}4832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384710Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E889-6050-1F16-00000000B001}4832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384709Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E889-6050-1E16-00000000B001}13088C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384708Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E889-6050-1E16-00000000B001}13088C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384707Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E889-6050-1D16-00000000B001}4956C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384706Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E889-6050-1D16-00000000B001}4956C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384705Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384704Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384703Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384702Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384701Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E87A-6050-1716-00000000B001}13144C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384700Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E87A-6050-1716-00000000B001}13144C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384699Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384698Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384697Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.182{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384696Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384695Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E86F-6050-1216-00000000B001}12292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384694Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E86F-6050-1216-00000000B001}12292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384693Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384692Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384691Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384690Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384689Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384688Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384687Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0616-00000000B001}12120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384686Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0616-00000000B001}12120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384685Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384684Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384683Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384682Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384681Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E85A-6050-F915-00000000B001}11772C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384680Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E85A-6050-F915-00000000B001}11772C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384679Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E85A-6050-F815-00000000B001}11708C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384678Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E85A-6050-F815-00000000B001}11708C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384677Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384676Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384675Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E854-6050-E715-00000000B001}12284C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384674Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E854-6050-E715-00000000B001}12284C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384673Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E851-6050-D915-00000000B001}11424C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384672Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E851-6050-D915-00000000B001}11424C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384671Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384670Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384669Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E84F-6050-D515-00000000B001}9252C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384668Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E84F-6050-D515-00000000B001}9252C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384667Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384666Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384665Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384664Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384663Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E83F-6050-7C15-00000000B001}5876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384662Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E83F-6050-7C15-00000000B001}5876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384661Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384660Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384659Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384658Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384657Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384656Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384655Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384654Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384653Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384652Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384651Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384650Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384649Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384648Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384647Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384646Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384645Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384644Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384643Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384642Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384641Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384640Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384639Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384638Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384637Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384636Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384635Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384634Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384633Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0E13-00000000B001}8088C:\Windows\system32\inetsrv\inetinfo.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384632Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0E13-00000000B001}8088C:\Windows\system32\inetsrv\inetinfo.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384631Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E555-6050-DF0C-00000000B001}9164C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384630Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E555-6050-DF0C-00000000B001}9164C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384629Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384628Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384627Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384626Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384625Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384624Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384623Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384622Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384621Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384620Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384619Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E30D-6050-F507-00000000B001}6040C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384618Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E30D-6050-F507-00000000B001}6040C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384617Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E30C-6050-F407-00000000B001}5104C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384616Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-E30C-6050-F407-00000000B001}5104C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384615Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DFE8-6050-5902-00000000B001}3204C:\Windows\system32\inetsrv\wmsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384614Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DFE8-6050-5902-00000000B001}3204C:\Windows\system32\inetsrv\wmsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384613Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DAB6-6050-A800-00000000B001}5792C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384612Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DAB6-6050-A800-00000000B001}5792C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384611Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DAA4-6050-9C00-00000000B001}5232C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384610Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DAA4-6050-9C00-00000000B001}5232C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384609Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DAA4-6050-9B00-00000000B001}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384608Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DAA4-6050-9B00-00000000B001}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384607Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DAA3-6050-9A00-00000000B001}4712C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384606Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DAA3-6050-9A00-00000000B001}4712C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384605Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DAA2-6050-9400-00000000B001}2476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384604Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DAA2-6050-9400-00000000B001}2476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384603Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DAA2-6050-9100-00000000B001}4980C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384602Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DAA2-6050-9100-00000000B001}4980C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384601Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DAA0-6050-8E00-00000000B001}1168C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384600Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DAA0-6050-8E00-00000000B001}1168C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384599Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DAA0-6050-8C00-00000000B001}4796C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384598Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DAA0-6050-8C00-00000000B001}4796C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384597Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3D-6050-4700-00000000B001}4260C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384596Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3D-6050-4700-00000000B001}4260C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384595Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3D-6050-4200-00000000B001}4152C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384594Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3D-6050-4200-00000000B001}4152C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384593Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3C-6050-3800-00000000B001}3756C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384592Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3C-6050-3800-00000000B001}3756C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384591Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3C-6050-3600-00000000B001}3636C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384590Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3C-6050-3600-00000000B001}3636C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384589Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-3300-00000000B001}2160C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384588Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-3300-00000000B001}2160C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384587Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-3200-00000000B001}2204C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384586Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-3200-00000000B001}2204C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384585Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384584Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384583Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2F00-00000000B001}2468C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384582Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2F00-00000000B001}2468C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384581Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2E00-00000000B001}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384580Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2E00-00000000B001}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384579Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2D00-00000000B001}2780C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384578Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2D00-00000000B001}2780C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384577Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2C00-00000000B001}2736C:\Windows\system32\mqsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384576Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2C00-00000000B001}2736C:\Windows\system32\mqsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384575Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2B00-00000000B001}2488C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384574Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2B00-00000000B001}2488C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384573Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2A00-00000000B001}2656C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384572Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.167{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2A00-00000000B001}2656C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384571Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2900-00000000B001}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384570Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2900-00000000B001}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384569Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2800-00000000B001}2620C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384568Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2800-00000000B001}2620C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384567Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2600-00000000B001}1928C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384566Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2600-00000000B001}1928C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384565Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2500-00000000B001}2140C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384564Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA3B-6050-2500-00000000B001}2140C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384563Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA35-6050-2300-00000000B001}2932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384562Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA35-6050-2300-00000000B001}2932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384561Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2C-6050-2100-00000000B001}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384560Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2C-6050-2100-00000000B001}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384559Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1700-00000000B001}1784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384558Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1700-00000000B001}1784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384557Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1600-00000000B001}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384556Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1600-00000000B001}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384555Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1500-00000000B001}1476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384554Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1500-00000000B001}1476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384553Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1400-00000000B001}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384552Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1400-00000000B001}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384551Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1300-00000000B001}1224C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384550Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1300-00000000B001}1224C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384549Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1200-00000000B001}1200C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384548Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1200-00000000B001}1200C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384547Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1100-00000000B001}1152C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384546Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1100-00000000B001}1152C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384545Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1000-00000000B001}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384544Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-1000-00000000B001}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384543Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-0F00-00000000B001}1112C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384542Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-0F00-00000000B001}1112C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384541Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-0E00-00000000B001}1064C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384540Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-0E00-00000000B001}1064C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384539Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-0D00-00000000B001}624C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384538Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-0D00-00000000B001}624C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384537Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-0C00-00000000B001}584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384536Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA2B-6050-0C00-00000000B001}584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384535Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384534Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384533Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA28-6050-0900-00000000B001}792C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384532Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.151{9A05EE67-E8B0-6050-4416-00000000B001}1146413844C:\Windows\system32\rundll32.exe{9A05EE67-DA28-6050-0900-00000000B001}792C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002384531Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:45.692{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25318-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local389ldap 354300x80000000000000002384530Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:45.692{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25318-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local389ldap 354300x80000000000000002384529Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:45.689{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25317-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local389ldap 354300x80000000000000002384528Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:45.689{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25317-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local389ldap 354300x80000000000000002384527Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:45.684{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-622.attackrange.local25316-false10.0.1.14win-dc-622.attackrange.local389ldap 354300x80000000000000002384526Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:45.684{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25316-false10.0.1.14win-dc-622.attackrange.local389ldap 23542300x80000000000000002384525Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.010{9A05EE67-1F89-6051-4021-00000000B001}19804NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A31BAD18E4FB8B7FC9630374FFC7E2AC,SHA256=12690B0182E9347E3DEA264DFADA844D0F59E83F311CDE407CF57AC0867414AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002384524Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.010{9A05EE67-1F7A-6051-0D21-00000000B001}233964636C:\Windows\system32\conhost.exe{9A05EE67-25A3-6051-7A23-00000000B001}10596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384523Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.010{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384522Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.010{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384521Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.010{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384520Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.010{9A05EE67-DA2B-6050-0C00-00000000B001}5847232C:\Windows\system32\svchost.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002384519Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.010{9A05EE67-DA28-6050-0500-00000000B001}636752C:\Windows\system32\csrss.exe{9A05EE67-25A3-6051-7A23-00000000B001}10596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002384518Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.010{9A05EE67-1F79-6051-0921-00000000B001}2615225328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{9A05EE67-25A3-6051-7A23-00000000B001}10596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002384517Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:47.012{9A05EE67-25A3-6051-7A23-00000000B001}10596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe8.0.2Monitor windows hostsplunk ApplicationSplunk Inc.splunk-winhostmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9A05EE67-DA29-6050-E703-000000000000}0x3e70SystemMD5=6905A24BF9B6295BD2422337204977D6,SHA256=2B86EC7EBCE7C0A3A77BA1A9B60B67BDA07778DF9E33E89065460BA059BC5A64,IMPHASH=B8203BDD5C47E5110CE749A0AD73B071{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002385462Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-25A3-6051-7B23-00000000B001}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385461Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-25A3-6051-7A23-00000000B001}10596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385460Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-CA21-00000000B001}25052C:\Windows\system32\nslookup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385459Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-C921-00000000B001}16536C:\Windows\system32\nslookup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385458Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-C821-00000000B001}21956C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385457Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-C721-00000000B001}23524C:\Windows\SYSTEM32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385456Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-C621-00000000B001}10816C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385455Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20BB-6051-C521-00000000B001}5244C:\Windows\SYSTEM32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385454Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-20A0-6051-A621-00000000B001}15716C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385453Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-202A-6051-7E21-00000000B001}4240C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385452Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1F89-6051-4021-00000000B001}19804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385451Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1F87-6051-3C21-00000000B001}12216C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385450Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385449Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1F7A-6051-0D21-00000000B001}23396C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385448Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385447Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385446Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1BDC-6051-3420-00000000B001}11392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385445Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-1936-6051-B71F-00000000B001}17872C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385444Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD4A-6050-6C1A-00000000B001}24580C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385443Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD16-6050-571A-00000000B001}9584C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385442Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD16-6050-561A-00000000B001}24120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385441Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD15-6050-551A-00000000B001}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385440Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD15-6050-541A-00000000B001}18620C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385439Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-FD13-6050-531A-00000000B001}22004C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385438Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.245{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385437Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-ED20-6050-6117-00000000B001}21992C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385436Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385435Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385434Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385433Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385432Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385431Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385430Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385429Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385428Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385427Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385426Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385425Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385424Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385423Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8B2-6050-4716-00000000B001}11216C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMRecovery.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385422Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8B0-6050-4416-00000000B001}11464C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385421Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8AD-6050-4316-00000000B001}12744C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385420Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385419Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8AC-6050-4116-00000000B001}13236C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385418Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385417Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385416Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E893-6050-2516-00000000B001}12676C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385415Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E893-6050-2416-00000000B001}11244C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385414Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E891-6050-2316-00000000B001}11696C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385413Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E889-6050-1F16-00000000B001}4832C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385412Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E889-6050-1E16-00000000B001}13088C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385411Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E889-6050-1D16-00000000B001}4956C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385410Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385409Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385408Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E87A-6050-1716-00000000B001}13144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385407Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.229{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385406Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385405Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E86F-6050-1216-00000000B001}12292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385404Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385403Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385402Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385401Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E864-6050-0616-00000000B001}12120C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385400Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385399Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385398Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E85A-6050-F915-00000000B001}11772C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385397Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E85A-6050-F815-00000000B001}11708C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385396Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385395Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E854-6050-E715-00000000B001}12284C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385394Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E851-6050-D915-00000000B001}11424C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385393Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385392Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E84F-6050-D515-00000000B001}9252C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385391Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385390Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385389Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E83F-6050-7C15-00000000B001}5876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385388Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385387Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385386Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385385Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385384Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385383Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385382Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385381Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385380Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385379Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385378Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.213{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385377Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385376Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385375Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385374Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E750-6050-0E13-00000000B001}8088C:\Windows\system32\inetsrv\inetinfo.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385373Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E555-6050-DF0C-00000000B001}9164C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385372Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385371Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385370Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385369Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385368Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385367Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E30D-6050-F507-00000000B001}6040C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385366Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-E30C-6050-F407-00000000B001}5104C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385365Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DFE8-6050-5902-00000000B001}3204C:\Windows\system32\inetsrv\wmsvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385364Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAB6-6050-A800-00000000B001}5792C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385363Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA4-6050-9C00-00000000B001}5232C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385362Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA4-6050-9B00-00000000B001}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385361Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA3-6050-9A00-00000000B001}4712C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385360Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.203{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA2-6050-9400-00000000B001}2476C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385359Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.202{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA2-6050-9100-00000000B001}4980C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385358Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.201{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA0-6050-8E00-00000000B001}1168C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385357Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.201{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DAA0-6050-8C00-00000000B001}4796C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385356Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.200{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3D-6050-4700-00000000B001}4260C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385355Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.199{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3D-6050-4200-00000000B001}4152C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385354Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.199{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3C-6050-3800-00000000B001}3756C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385353Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.198{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3C-6050-3600-00000000B001}3636C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385352Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.198{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-3300-00000000B001}2160C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385351Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.182{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-3200-00000000B001}2204C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385350Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.182{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385349Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.182{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2F00-00000000B001}2468C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385348Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.182{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2E00-00000000B001}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385347Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.182{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2D00-00000000B001}2780C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385346Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.182{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2C00-00000000B001}2736C:\Windows\system32\mqsvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385345Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.182{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2B00-00000000B001}2488C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385344Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.182{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2A00-00000000B001}2656C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385343Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.182{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2900-00000000B001}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002385342Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.182{9A05EE67-1D10-6051-7820-00000000B001}209761760C:\Windows\system32\wbem\wmiprvse.exe{9A05EE67-DA3B-6050-2800-00000000B001}2620C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 354300x80000000000000002385464Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.854{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse127.0.0.1win-dc-622.attackrange.local25320-false127.0.0.1win-dc-622.attackrange.local443https 354300x80000000000000002385463Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:48.854{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruefalse127.0.0.1win-dc-622.attackrange.local25320-false127.0.0.1win-dc-622.attackrange.local443https 10341000x80000000000000002385478Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.510{9A05EE67-DA28-6050-0B00-00000000B001}85224896C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\kerberos.DLL+8cb5a|C:\Windows\system32\kerberos.DLL+42a18|C:\Windows\system32\kerberos.DLL+40fbb|C:\Windows\system32\kerberos.DLL+148cf|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000002385477Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.510{9A05EE67-DA28-6050-0B00-00000000B001}85224896C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002385476Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.503{9A05EE67-DA28-6050-0B00-00000000B001}852588C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\kerberos.DLL+8cb5a|C:\Windows\system32\kerberos.DLL+42a18|C:\Windows\system32\kerberos.DLL+40fbb|C:\Windows\system32\kerberos.DLL+148cf|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000002385475Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.503{9A05EE67-DA28-6050-0B00-00000000B001}852588C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002385474Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.496{9A05EE67-DA28-6050-0B00-00000000B001}85224896C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\kerberos.DLL+8cb5a|C:\Windows\system32\kerberos.DLL+42a18|C:\Windows\system32\kerberos.DLL+40fbb|C:\Windows\system32\kerberos.DLL+148cf|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000002385473Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.496{9A05EE67-DA28-6050-0B00-00000000B001}85224896C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002385472Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.463{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002385471Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.463{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002385470Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.463{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002385469Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.463{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002385468Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.463{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002385467Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.463{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002385466Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.463{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 10341000x80000000000000002385465Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.463{9A05EE67-E30D-6050-F507-00000000B001}60403392C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF9F9C39CD0) 354300x80000000000000002385489Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.175{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-622.attackrange.local25324-false10.0.1.14win-dc-622.attackrange.local443https 354300x80000000000000002385488Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.175{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25324-false10.0.1.14win-dc-622.attackrange.local443https 23542300x80000000000000002385487Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:52.729{9A05EE67-1F89-6051-4021-00000000B001}19804NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1CEE1110B3DCF5B6BFF73C8039061C1,SHA256=E7A7FD60AE98A09FB32029B1AD0F47327FA1AC6FCAEE1724CE82013351B683AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002385486Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:52.729{9A05EE67-1F89-6051-4021-00000000B001}19804NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE8E843568D67EECB8CA3F7FDFE6435D,SHA256=EA41AC01C009B6D58E1F125297F4BD8457CBBE149B3BE3B13FBA31D390EE4769,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002385485Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.163{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25323-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local443https 354300x80000000000000002385484Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.163{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25323-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local443https 354300x80000000000000002385483Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.152{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-622.attackrange.local25322-false10.0.1.14win-dc-622.attackrange.local443https 354300x80000000000000002385482Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.152{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25322-false10.0.1.14win-dc-622.attackrange.local443https 23542300x80000000000000002385481Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:52.385{9A05EE67-DA2B-6050-1000-00000000B001}1144NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=670BFED33DC40DD61B525DF032C20855,SHA256=38AAB25DFDB0B4196FA6E73510128685F0727DD8C07B8F171DEBD38ABB701D7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002385480Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:50.588{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-622.attackrange.local25321-true0:0:0:0:0:0:0:1win-dc-622.attackrange.local443https 354300x80000000000000002385479Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:50.588{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-622.attackrange.local25321-true0:0:0:0:0:0:0:1win-dc-622.attackrange.local443https 354300x80000000000000002385493Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:51.807{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25325-false10.0.1.12-8000- 10341000x80000000000000002385492Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.354{9A05EE67-DA28-6050-0B00-00000000B001}85224896C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\msv1_0.DLL+1d351|C:\Windows\system32\msv1_0.DLL+e79c|C:\Windows\system32\msv1_0.DLL+64a9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002385491Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.354{9A05EE67-DA28-6050-0B00-00000000B001}85224896C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\msv1_0.DLL+1d351|C:\Windows\system32\msv1_0.DLL+e79c|C:\Windows\system32\msv1_0.DLL+64a9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002385490Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.338{9A05EE67-DA28-6050-0B00-00000000B001}852588C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\msv1_0.DLL+1d351|C:\Windows\system32\msv1_0.DLL+e79c|C:\Windows\system32\msv1_0.DLL+64a9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002385517Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:54.510{9A05EE67-1F89-6051-4021-00000000B001}19804NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1CEE1110B3DCF5B6BFF73C8039061C1,SHA256=E7A7FD60AE98A09FB32029B1AD0F47327FA1AC6FCAEE1724CE82013351B683AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002385516Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.026{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-622.attackrange.local25335-true0:0:0:0:0:0:0:1win-dc-622.attackrange.local6001- 354300x80000000000000002385515Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.026{9A05EE67-EBF9-6050-2E17-00000000B001}6188C:\Windows\System32\inetsrv\w3wp.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-622.attackrange.local25335-true0:0:0:0:0:0:0:1win-dc-622.attackrange.local6001- 354300x80000000000000002385514Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.024{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-622.attackrange.local25334-true0:0:0:0:0:0:0:1win-dc-622.attackrange.local6001- 354300x80000000000000002385513Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.024{9A05EE67-EBF9-6050-2E17-00000000B001}6188C:\Windows\System32\inetsrv\w3wp.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-622.attackrange.local25334-true0:0:0:0:0:0:0:1win-dc-622.attackrange.local6001- 354300x80000000000000002385512Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.022{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25333-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local444- 354300x80000000000000002385511Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.022{9A05EE67-EBB8-6050-1E17-00000000B001}16064C:\Windows\System32\inetsrv\w3wp.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25333-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local444- 354300x80000000000000002385510Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.020{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-622.attackrange.local25332-false10.0.1.14win-dc-622.attackrange.local444- 354300x80000000000000002385509Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.020{9A05EE67-EBB8-6050-1E17-00000000B001}16064C:\Windows\System32\inetsrv\w3wp.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25332-false10.0.1.14win-dc-622.attackrange.local444- 354300x80000000000000002385508Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.018{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25331-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local444- 354300x80000000000000002385507Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.018{9A05EE67-EBB8-6050-1E17-00000000B001}16064C:\Windows\System32\inetsrv\w3wp.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25331-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local444- 354300x80000000000000002385506Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.014{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25330-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local80http 354300x80000000000000002385505Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.014{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25330-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local80http 354300x80000000000000002385504Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.012{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25329-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local80http 354300x80000000000000002385503Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.012{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25329-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local80http 354300x80000000000000002385502Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.006{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-622.attackrange.local25328-false10.0.1.14win-dc-622.attackrange.local444- 354300x80000000000000002385501Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.006{9A05EE67-EBB8-6050-1E17-00000000B001}16064C:\Windows\System32\inetsrv\w3wp.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-622.attackrange.local25328-false10.0.1.14win-dc-622.attackrange.local444- 354300x80000000000000002385500Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.001{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25327-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local444- 354300x80000000000000002385499Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:53.001{9A05EE67-EBB8-6050-1E17-00000000B001}16064C:\Windows\System32\inetsrv\w3wp.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25327-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local444- 354300x80000000000000002385498Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:52.995{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25326-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local80http 354300x80000000000000002385497Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:52.995{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local25326-truefe80:0:0:0:e9f1:b27:5240:b65win-dc-622.attackrange.local80http 10341000x80000000000000002385496Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:54.354{9A05EE67-DA28-6050-0B00-00000000B001}85224896C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\kerberos.DLL+8cb5a|C:\Windows\system32\kerberos.DLL+42a18|C:\Windows\system32\kerberos.DLL+40fbb|C:\Windows\system32\kerberos.DLL+148cf|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000002385495Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:54.354{9A05EE67-DA28-6050-0B00-00000000B001}85224896C:\Windows\system32\lsass.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002385494Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:54.323{9A05EE67-E864-6050-0516-00000000B001}12084NT AUTHORITY\NETWORK SERVICEC:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exeC:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\QueueViewer\QueueSnapShot.xmlMD5=50EA2DA34E053C1926B34F6E1C761C77,SHA256=71A7ACB96C3781F42D40BA6CFACE77887948A0C682C671752B066B1254144AF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002385794Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:54.012{9A05EE67-DA26-6050-0100-00000000B001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse127.0.0.1win-dc-622.attackrange.local25336-false127.0.0.1win-dc-622.attackrange.local443https 354300x80000000000000002385793Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:54.012{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exeNT AUTHORITY\SYSTEMtcptruefalse127.0.0.1win-dc-622.attackrange.local25336-false127.0.0.1win-dc-622.attackrange.local443https 10341000x80000000000000002385792Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-CA21-00000000B001}25052C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385791Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-CA21-00000000B001}25052C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385790Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C921-00000000B001}16536C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385789Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C921-00000000B001}16536C:\Windows\system32\nslookup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385788Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C821-00000000B001}21956C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385787Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C821-00000000B001}21956C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385786Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C721-00000000B001}23524C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385785Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C721-00000000B001}23524C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385784Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C621-00000000B001}10816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385783Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C621-00000000B001}10816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385782Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C521-00000000B001}5244C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385781Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20BB-6051-C521-00000000B001}5244C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385780Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20A0-6051-A621-00000000B001}15716C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385779Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-20A0-6051-A621-00000000B001}15716C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385778Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-202A-6051-7E21-00000000B001}4240C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385777Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-202A-6051-7E21-00000000B001}4240C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385776Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F89-6051-4021-00000000B001}19804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385775Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F89-6051-4021-00000000B001}19804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385774Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385773Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F87-6051-3721-00000000B001}7928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385772Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F7A-6051-0D21-00000000B001}23396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385771Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F7A-6051-0D21-00000000B001}23396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385770Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385769Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1F79-6051-0921-00000000B001}26152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385768Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1D10-6051-7820-00000000B001}20976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385767Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1D10-6051-7820-00000000B001}20976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385766Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385765Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1BDC-6051-3520-00000000B001}21456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385764Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1BDC-6051-3420-00000000B001}11392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385763Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1BDC-6051-3420-00000000B001}11392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385762Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1936-6051-B71F-00000000B001}17872C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385761Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-1936-6051-B71F-00000000B001}17872C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385760Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD4A-6050-6C1A-00000000B001}24580C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385759Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD4A-6050-6C1A-00000000B001}24580C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385758Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD16-6050-571A-00000000B001}9584C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385757Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD16-6050-571A-00000000B001}9584C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385756Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD16-6050-561A-00000000B001}24120C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385755Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD16-6050-561A-00000000B001}24120C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385754Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD15-6050-551A-00000000B001}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385753Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD15-6050-551A-00000000B001}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385752Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD15-6050-541A-00000000B001}18620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385751Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD15-6050-541A-00000000B001}18620C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385750Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD13-6050-531A-00000000B001}22004C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385749Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-FD13-6050-531A-00000000B001}22004C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385748Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385747Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385746Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-ED20-6050-6117-00000000B001}21992C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385745Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-ED20-6050-6117-00000000B001}21992C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385744Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385743Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385742Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385741Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385740Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385739Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385738Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385737Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9ED-6050-C816-00000000B001}5704c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385736Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385735Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385734Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385733Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385732Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385731Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385730Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385729Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385728Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385727Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385726Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385725Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385724Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385723Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385722Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385721Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385720Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385719Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385718Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8B2-6050-4716-00000000B001}11216C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMRecovery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385717Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8B2-6050-4716-00000000B001}11216C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMRecovery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385716Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8B0-6050-4416-00000000B001}11464C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385715Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8B0-6050-4416-00000000B001}11464C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385714Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AD-6050-4316-00000000B001}12744C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385713Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AD-6050-4316-00000000B001}12744C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385712Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385711Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385710Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AC-6050-4116-00000000B001}13236C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385709Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8AC-6050-4116-00000000B001}13236C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385708Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385707Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385706Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385705Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E89D-6050-2916-00000000B001}13432C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385704Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E893-6050-2516-00000000B001}12676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385703Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E893-6050-2516-00000000B001}12676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385702Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E893-6050-2416-00000000B001}11244C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385701Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E893-6050-2416-00000000B001}11244C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385700Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E891-6050-2316-00000000B001}11696C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385699Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.651{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E891-6050-2316-00000000B001}11696C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385698Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1F16-00000000B001}4832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385697Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1F16-00000000B001}4832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385696Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1E16-00000000B001}13088C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385695Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1E16-00000000B001}13088C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385694Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1D16-00000000B001}4956C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385693Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E889-6050-1D16-00000000B001}4956C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385692Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385691Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385690Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385689Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385688Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E87A-6050-1716-00000000B001}13144C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385687Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E87A-6050-1716-00000000B001}13144C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385686Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385685Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385684Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385683Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385682Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86F-6050-1216-00000000B001}12292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385681Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86F-6050-1216-00000000B001}12292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385680Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385679Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385678Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385677Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385676Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385675Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385674Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E864-6050-0616-00000000B001}12120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385673Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E864-6050-0616-00000000B001}12120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385672Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385671Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385670Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385669Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385668Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E85A-6050-F915-00000000B001}11772C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385667Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E85A-6050-F915-00000000B001}11772C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385666Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E85A-6050-F815-00000000B001}11708C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385665Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E85A-6050-F815-00000000B001}11708C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385664Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385663Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385662Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E854-6050-E715-00000000B001}12284C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385661Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E854-6050-E715-00000000B001}12284C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385660Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E851-6050-D915-00000000B001}11424C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385659Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E851-6050-D915-00000000B001}11424C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385658Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385657Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385656Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E84F-6050-D515-00000000B001}9252C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385655Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E84F-6050-D515-00000000B001}9252C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385654Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385653Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385652Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385651Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385650Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E83F-6050-7C15-00000000B001}5876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385649Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E83F-6050-7C15-00000000B001}5876C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385648Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385647Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385646Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385645Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385644Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385643Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385642Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385641Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385640Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385639Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385638Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385637Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385636Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385635Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385634Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385633Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385632Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385631Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385630Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385629Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385628Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385627Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385626Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385625Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385624Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385623Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385622Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385621Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385620Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E750-6050-0E13-00000000B001}8088C:\Windows\system32\inetsrv\inetinfo.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385619Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E750-6050-0E13-00000000B001}8088C:\Windows\system32\inetsrv\inetinfo.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385618Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E555-6050-DF0C-00000000B001}9164C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385617Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E555-6050-DF0C-00000000B001}9164C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385616Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385615Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E33A-6050-3208-00000000B001}9064C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385614Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385613Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385612Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385611Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E325-6050-FD07-00000000B001}6036C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385610Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385609Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385608Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385607Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E311-6050-F707-00000000B001}3708C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385606Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E30D-6050-F507-00000000B001}6040C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385605Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E30D-6050-F507-00000000B001}6040C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385604Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E30C-6050-F407-00000000B001}5104C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385603Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-E30C-6050-F407-00000000B001}5104C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385602Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DFE8-6050-5902-00000000B001}3204C:\Windows\system32\inetsrv\wmsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385601Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DFE8-6050-5902-00000000B001}3204C:\Windows\system32\inetsrv\wmsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385600Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAB6-6050-A800-00000000B001}5792C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385599Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAB6-6050-A800-00000000B001}5792C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385598Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA4-6050-9C00-00000000B001}5232C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385597Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA4-6050-9C00-00000000B001}5232C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385596Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA4-6050-9B00-00000000B001}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385595Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA4-6050-9B00-00000000B001}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385594Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA3-6050-9A00-00000000B001}4712C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385593Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA3-6050-9A00-00000000B001}4712C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385592Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA2-6050-9400-00000000B001}2476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385591Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA2-6050-9400-00000000B001}2476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385590Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA2-6050-9100-00000000B001}4980C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385589Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA2-6050-9100-00000000B001}4980C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385588Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA0-6050-8E00-00000000B001}1168C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385587Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA0-6050-8E00-00000000B001}1168C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385586Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA0-6050-8C00-00000000B001}4796C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385585Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DAA0-6050-8C00-00000000B001}4796C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385584Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3D-6050-4700-00000000B001}4260C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385583Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3D-6050-4700-00000000B001}4260C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385582Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3D-6050-4200-00000000B001}4152C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385581Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3D-6050-4200-00000000B001}4152C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385580Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3C-6050-3800-00000000B001}3756C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385579Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3C-6050-3800-00000000B001}3756C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385578Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.635{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3C-6050-3600-00000000B001}3636C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385577Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3C-6050-3600-00000000B001}3636C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385576Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3300-00000000B001}2160C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385575Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3300-00000000B001}2160C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385574Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3200-00000000B001}2204C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385573Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3200-00000000B001}2204C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385572Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385571Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-3000-00000000B001}2900C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385570Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2F00-00000000B001}2468C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385569Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2F00-00000000B001}2468C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385568Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2E00-00000000B001}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385567Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2E00-00000000B001}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385566Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2D00-00000000B001}2780C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385565Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2D00-00000000B001}2780C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385564Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2C00-00000000B001}2736C:\Windows\system32\mqsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385563Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2C00-00000000B001}2736C:\Windows\system32\mqsvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385562Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2B00-00000000B001}2488C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385561Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2B00-00000000B001}2488C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385560Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2A00-00000000B001}2656C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385559Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2A00-00000000B001}2656C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385558Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2900-00000000B001}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385557Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2900-00000000B001}2612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385556Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2800-00000000B001}2620C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385555Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2800-00000000B001}2620C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385554Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2600-00000000B001}1928C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385553Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2600-00000000B001}1928C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385552Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2500-00000000B001}2140C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385551Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA3B-6050-2500-00000000B001}2140C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385550Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA35-6050-2300-00000000B001}2932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385549Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA35-6050-2300-00000000B001}2932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385548Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2C-6050-2100-00000000B001}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385547Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2C-6050-2100-00000000B001}2400C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385546Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1700-00000000B001}1784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385545Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1700-00000000B001}1784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385544Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1600-00000000B001}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385543Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1600-00000000B001}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385542Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1500-00000000B001}1476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385541Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1500-00000000B001}1476C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385540Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1400-00000000B001}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385539Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1400-00000000B001}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385538Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1300-00000000B001}1224C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385537Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1300-00000000B001}1224C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385536Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1200-00000000B001}1200C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385535Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1200-00000000B001}1200C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385534Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1100-00000000B001}1152C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385533Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1100-00000000B001}1152C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385532Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1000-00000000B001}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385531Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-1000-00000000B001}1144C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385530Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0F00-00000000B001}1112C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385529Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0F00-00000000B001}1112C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385528Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0E00-00000000B001}1064C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385527Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0E00-00000000B001}1064C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385526Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0D00-00000000B001}624C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385525Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0D00-00000000B001}624C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385524Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0C00-00000000B001}584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385523Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA2B-6050-0C00-00000000B001}584C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385522Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385521Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA28-6050-0B00-00000000B001}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 10341000x80000000000000002385520Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA28-6050-0900-00000000B001}792C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+3b59|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+414d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+d007|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+cb01|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2f5e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+27fe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da 10341000x80000000000000002385519Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.619{9A05EE67-1F87-6051-3C21-00000000B001}122166900C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe{9A05EE67-DA28-6050-0900-00000000B001}792C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c669|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+c71b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2fde|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2b9e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+2659|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll+1607|C:\Windows\system32\mscoree.dll+1a755|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\SYSTEM32\pdh.dll+63ec|C:\Windows\SYSTEM32\pdh.dll+68a6|C:\Windows\SYSTEM32\pdh.dll+4e20|C:\Windows\SYSTEM32\pdh.dll+4195|C:\Windows\SYSTEM32\pdh.dll+3e16|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56685f|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+556617|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+5654f3|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+56667a|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f4da|C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe+68f10f 23542300x80000000000000002385518Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:55.432{9A05EE67-1F89-6051-4021-00000000B001}19804NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83957B67AEC69BA86214B1BADDE0835D,SHA256=F5C030B1443E02E4E7578DFC1F84AF99175DE9E696C5707C7E021C0EDAA4EC95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002386570Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386569Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386568Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386567Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386566Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386565Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386564Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386563Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386562Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386561Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386560Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386559Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386558Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386557Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386556Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386555Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386554Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386553Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386552Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386551Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.666{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386550Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386549Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386548Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386547Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386546Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386545Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386544Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386543Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386542Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386541Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386540Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386539Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386538Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386537Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386536Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386535Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386534Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386533Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386532Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386531Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386530Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386529Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386528Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386527Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386526Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386525Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386524Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386523Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386522Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386521Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386520Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386519Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386518Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386517Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386516Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386515Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386514Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386513Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386512Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386511Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386510Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386509Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386508Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386507Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386506Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386505Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386504Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386503Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386502Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386501Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386500Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386499Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386498Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386497Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386496Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386495Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386494Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386493Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386492Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386491Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386490Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386489Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386488Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386487Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386486Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386485Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386484Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386483Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386482Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386481Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386480Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386479Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386478Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386477Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386476Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386475Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386474Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386473Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386472Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386471Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386470Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386469Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386468Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386467Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386466Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386465Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386464Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386463Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386462Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386461Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386460Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386459Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386458Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386457Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386456Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386455Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386454Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386453Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386452Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386451Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386450Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386449Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386448Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386447Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386446Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386445Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386444Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386443Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386442Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386441Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386440Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386439Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386438Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386437Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386436Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386435Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386434Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386433Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386432Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386431Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386430Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386429Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386428Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386427Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386426Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386425Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386424Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386423Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386422Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386421Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386420Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386419Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386418Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386417Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386416Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386415Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386414Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386413Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386412Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386411Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386410Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386409Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386408Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386407Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386406Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386405Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386404Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386403Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.651{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386402Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386401Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386400Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386399Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386398Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386397Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386396Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386395Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386394Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386393Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386392Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386391Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386390Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386389Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386388Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386387Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386386Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386385Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386384Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386383Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386382Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386381Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386380Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386379Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386378Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386377Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386376Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386375Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386374Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386373Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386372Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386371Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386370Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386369Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386368Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386367Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386366Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386365Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386364Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386363Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386362Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386361Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386360Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386359Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386358Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386357Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386356Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386355Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386354Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386353Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386352Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386351Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386350Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386349Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386348Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386347Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386346Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386345Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386344Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386343Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386342Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386341Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386340Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386339Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E335-6050-1D08-00000000B001}9176C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386338Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E807-6050-1215-00000000B001}10084C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386337Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E750-6050-0F13-00000000B001}8916C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386336Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E758-6050-1313-00000000B001}5828C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386335Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75A-6050-1513-00000000B001}8932C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386334Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E759-6050-1413-00000000B001}7660C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386333Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75B-6050-1613-00000000B001}7048C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386332Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E75D-6050-1813-00000000B001}5196C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386331Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E760-6050-1A13-00000000B001}9452C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386330Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E764-6050-1C13-00000000B001}9980C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386329Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E321-6050-FC07-00000000B001}6508C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386328Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E824-6050-6415-00000000B001}3100C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386327Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E825-6050-6515-00000000B001}3388C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386326Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E826-6050-6715-00000000B001}10840C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386325Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E829-6050-6A15-00000000B001}2460C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386324Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E82B-6050-7015-00000000B001}7156C:\Program Files\Microsoft\Exchange Server\V15\bin\UMworkerprocess.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386323Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E843-6050-A115-00000000B001}2920C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386322Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E846-6050-A315-00000000B001}2032C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386321Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E84F-6050-D615-00000000B001}2888C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386320Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E856-6050-F015-00000000B001}11876C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386319Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.635{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E861-6050-0116-00000000B001}10868C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386318Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E864-6050-0516-00000000B001}12084C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386317Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E867-6050-0B16-00000000B001}11960C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386316Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86F-6050-1116-00000000B001}11120C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386315Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E86E-6050-1016-00000000B001}11884C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386314Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E87A-6050-1616-00000000B001}13132C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386313Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E878-6050-1316-00000000B001}12860C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386312Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E882-6050-1816-00000000B001}12912C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeCompliance.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386311Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E886-6050-1C16-00000000B001}13040C:\Program Files\Microsoft\Exchange Server\V15\Bin\ComplianceAuditService.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386310Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8A8-6050-3F16-00000000B001}14088C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386309Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8AD-6050-4216-00000000B001}13956C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386308Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386307Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E93B-6050-6616-00000000B001}13336c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386306Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E93F-6050-6A16-00000000B001}13552c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386305Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386304Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386303Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386302Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E953-6050-8016-00000000B001}14944c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386301Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E8D2-6050-4E16-00000000B001}14156c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386300Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386299Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-EBB8-6050-1E17-00000000B001}16064c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386298Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E959-6050-8C16-00000000B001}6868c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386297Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-EBF9-6050-2E17-00000000B001}6188c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386296Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E950-6050-7C16-00000000B001}14520c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386295Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-ED2D-6050-6E17-00000000B001}22016c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386294Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E96D-6050-AB16-00000000B001}15480c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386293Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9BD-6050-B916-00000000B001}17328c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386292Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E9FC-6050-C916-00000000B001}18272c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+146c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+43ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+3ae8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+5f94|C:\Windows\system32\netfxperf.dll+1476|C:\Windows\System32\ADVAPI32.dll+12060|C:\Windows\System32\ADVAPI32.dll+116b5|C:\Windows\System32\KERNELBASE.dll+23d79|C:\Windows\System32\KERNELBASE.dll+2332d|C:\Windows\system32\pdh.dll+63ec|C:\Windows\system32\pdh.dll+56ad|C:\Windows\system32\pdh.dll+149a9|C:\Windows\system32\pdh.dll+1b4fa|C:\Windows\system32\pla.dll+faeff|C:\Windows\system32\pla.dll+f23be|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002386291Microsoft-Windows-Sysmon/Operationalwin-dc-622.attackrange.local-2021-03-16 21:39:56.619{9A05EE67-E8AC-6050-4116-00000000B001}1323614028C:\Windows\system32\rundll32.exe{9A05EE67-E946-6050-7116-00000000B001}10832c:\windows\system32\inetsrv\w3wp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+21ae|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll+14