<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">- <Syste

1. <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
2. - <System>
3. <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
4. <EventID>1</EventID>
5. <Version>5</Version>
6. <Level>4</Level>
7. <Task>1</Task>
8. <Opcode>0</Opcode>
9. <Keywords>0x8000000000000000</Keywords>
10. <TimeCreated SystemTime="2020-02-28T19:48:58.220364900Z" />
11. <EventRecordID>4128</EventRecordID>
12. <Correlation />
13. <Execution ProcessID="13936" ThreadID="5020" />
14. <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
15. <Computer>exchange-dc5.evilcorp.com</Computer>
16. <Security UserID="S-1-5-18" />
17. </System>
18. - <EventData>
19. <Data Name="RuleName" />
20. <Data Name="UtcTime">2020-02-28 19:48:58.204</Data>
21. <Data Name="ProcessGuid">{4C84529A-6EAA-5E59-0000-0010A9E79300}</Data>
22. <Data Name="ProcessId">18824</Data>
23. <Data Name="Image">C:\Windows\System32\cmd.exe</Data>
24. <Data Name="FileVersion">6.3.9600.16384 (winblue_rtm.130821-1623)</Data>
25. <Data Name="Description">Windows Command Processor</Data>
26. <Data Name="Product">Microsoft® Windows® Operating System</Data>
27. <Data Name="Company">Microsoft Corporation</Data>
28. <Data Name="OriginalFileName">Cmd.Exe</Data>
29. <Data Name="CommandLine">"C:\Windows\System32\cmd.exe"</Data>
30. <Data Name="CurrentDirectory">c:\windows\system32\inetsrv\</Data>
31. <Data Name="User">NT AUTHORITY\SYSTEM</Data>
32. <Data Name="LogonGuid">{4C84529A-6118-5E59-0000-0020E7030000}</Data>
33. <Data Name="LogonId">0x3e7</Data>
34. <Data Name="TerminalSessionId">0</Data>
35. <Data Name="IntegrityLevel">System</Data>
36. <Data Name="Hashes">SHA1=0C2E3CF2D2F09792960A73DC772A086E99A96764,MD5=FC0B4A626881D7C5980D757214DB2D25,SHA256=0B9BC863E2807B6886760480083E51BA8A66118659F4FF274E7B73944D2219F5,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3</Data>
37. <Data Name="ParentProcessGuid">{4C84529A-614E-5E59-0000-0010F3960800}</Data>
38. <Data Name="ParentProcessId">4736</Data>
39. <Data Name="ParentImage">C:\Windows\System32\inetsrv\w3wp.exe</Data>
40. <Data Name="ParentCommandLine">c:\windows\system32\inetsrv\w3wp.exe -ap "MSExchangeECPAppPool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\GenericAppPoolConfigWithGCServerEnabledFalse.config" -a \\.\pipe\iisipm405bd439-ae58-4afb-939e-eecf6d0aefa3 -h "C:\inetpub\temp\apppools\MSExchangeECPAppPool\MSExchangeECPAppPool.config" -w "" -m 0</Data>
41. </EventData>
42. </Event>