Enter the log from Infocyte:
{ "md5": "3bd867833f83f44f020c9cd05b0b7395", "pid": 7628, "uid": "S-1-5-18", "name": "wasecagentprov.exe", "path": "c:\\windowsazure\\secagent\\wasecagentprov.exe", "ppid": 4576, "sha1": "fe73cb21c722bfec8d11f03b8eced7c165905c11", "size": 528752, "type": "process", "error": null, "owner": "NT AUTHORITY\\SYSTEM", "hostOs": "Windows Server 2019 Datacenter 1809 ServerDatacenter 64-bit", "itemId": "b7266e356ec9e74a728bc988e4117f01ee7da0bc", "sha256": "c2b49fa4352bcc7f8f72e7ea25a646f89db9136fb7e60f01d36e0bdd5c23ea55", "signed": true, "ssdeep": "12288:VEYvYSQju+rgEf6utE5IYVMKoA09bYG5/tVaGnp:VEY4y+hyqKoA0XHTp", "created": "2021-08-15T20:09:07.000000049Z", "entropy": 6.283627147991902, "foundOn": "2023-05-02T22:08:00.025349400Z", "managed": null, "package": null, "started": "2023-05-02T22:07:59.956970200Z", "hostInfo": { "ip": null, "domain": "aaddsbnp.com", "agentId": "a8a15642-6180-4fff-a99c-71698b1af73e", "cpe23Uri": null, "hostname": "bnp-az-dc19-01", "osVersion": "Windows Server 2019 Datacenter 1809 ServerDatacenter 64-bit", "rmmSiteId": null, "rmmDeviceId": null, "architecture": "64-bit", "rmmAccountId": null }, "hostname": "bnp-az-dc19-01", "modified": "2021-11-05T16:07:42Z", "realTime": true, "accountId": "1d42c6644e307d522bd12008850dbd4d818ad22d", "eventTime": "2023-05-02T22:07:59.956970200Z", "messageId": "aa4d4684-3d55-4531-b0c1-7c35d619c5aa", "processId": "b7266e356ec9e74a728bc988e4117f01ee7da0bc", "signature": { "type": "Embedded", "issuerName": "Microsoft Windows Production PCA 2011, Microsoft Corporation, Redmond, Washington, US", "subjectName": "Microsoft Windows", "serialNumber": "33000002EC6579AD1E670890130000000002EC", "timestampIssuer": null, "timestampSubject": null }, "hostScanId": "2758d852-0401-45ea-8251-234a40c6368d", "instanceId": "56dd04fe1947459c10256d4835a3b3b3aa831158", "parentPath": "c:\\windowsazure\\guestagent_2.7.41491.1083_2023-04-12_035845\\waappagent.exe", "commandLine": "\"C:\\WindowsAzure\\SecAgent\\WaSecAgentProv.exe\" -startPoll C:\\WindowsAzure\\Logs\\ 168.63.129.16 5248000 3600000 21600000", "ppidSpoofed": false, "processName": "WaSecAgentProv.exe", "ruleActions": { "alert": false, "observe": true }, "ruleMitreId": "T1102", "ruleSeverity": "low", "ruleMitreTactic": "Command and Control", "parentCommandLine": null, "parentProcessName": "WaAppAgent.exe", "grandParentProcessName": "services.exe" }
