Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- - <System>
- <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
- <EventID>1</EventID>
- <Version>5</Version>
- <Level>4</Level>
- <Task>1</Task>
- <Opcode>0</Opcode>
- <Keywords>0x8000000000000000</Keywords>
- <TimeCreated SystemTime="2020-02-28T19:48:58.220364900Z" />
- <EventRecordID>4128</EventRecordID>
- <Correlation />
- <Execution ProcessID="13936" ThreadID="5020" />
- <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
- <Computer>exchange-dc5.evilcorp.com</Computer>
- <Security UserID="S-1-5-18" />
- </System>
- - <EventData>
- <Data Name="RuleName" />
- <Data Name="UtcTime">2020-02-28 19:48:58.204</Data>
- <Data Name="ProcessGuid">{4C84529A-6EAA-5E59-0000-0010A9E79300}</Data>
- <Data Name="ProcessId">18824</Data>
- <Data Name="Image">C:\Windows\System32\cmd.exe</Data>
- <Data Name="FileVersion">6.3.9600.16384 (winblue_rtm.130821-1623)</Data>
- <Data Name="Description">Windows Command Processor</Data>
- <Data Name="Product">Microsoft® Windows® Operating System</Data>
- <Data Name="Company">Microsoft Corporation</Data>
- <Data Name="OriginalFileName">Cmd.Exe</Data>
- <Data Name="CommandLine">"C:\Windows\System32\cmd.exe"</Data>
- <Data Name="CurrentDirectory">c:\windows\system32\inetsrv\</Data>
- <Data Name="User">NT AUTHORITY\SYSTEM</Data>
- <Data Name="LogonGuid">{4C84529A-6118-5E59-0000-0020E7030000}</Data>
- <Data Name="LogonId">0x3e7</Data>
- <Data Name="TerminalSessionId">0</Data>
- <Data Name="IntegrityLevel">System</Data>
- <Data Name="Hashes">SHA1=0C2E3CF2D2F09792960A73DC772A086E99A96764,MD5=FC0B4A626881D7C5980D757214DB2D25,SHA256=0B9BC863E2807B6886760480083E51BA8A66118659F4FF274E7B73944D2219F5,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3</Data>
- <Data Name="ParentProcessGuid">{4C84529A-614E-5E59-0000-0010F3960800}</Data>
- <Data Name="ParentProcessId">4736</Data>
- <Data Name="ParentImage">C:\Windows\System32\inetsrv\w3wp.exe</Data>
- <Data Name="ParentCommandLine">c:\windows\system32\inetsrv\w3wp.exe -ap "MSExchangeECPAppPool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\GenericAppPoolConfigWithGCServerEnabledFalse.config" -a \\.\pipe\iisipm405bd439-ae58-4afb-939e-eecf6d0aefa3 -h "C:\inetpub\temp\apppools\MSExchangeECPAppPool\MSExchangeECPAppPool.config" -w "" -m 0</Data>
- </EventData>
- </Event>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement