Account - iis apppool\solarwinds orion application pool
Initiating process - w3wp.exe
log-file="C:\Users\SOLARW~2\AppData\Local\Temp\debug.log
Commandline - "w3wp.exe -ap "SolarWinds Orion Application Pool" -v "v4.0" -l "webengine4.dll" -a [file://./pipe/iisipm7f777309-bf7d-4f7e-a9dc-cd148ad00fa3]\\.\pipe\iisipm7f777309-bf7d-4f7e-a9dc-cd148ad00fa3 -h "C:\inetpub\temp\apppools\SolarWinds Orion Application Pool\SolarWinds Orion Application Pool.config" -w "" -m 0"
The above command is part of the infrastructure that allows the SolarWinds Orion application to run within IIS, handling web requests and managing application state.
Device was seen launching "rundll32.exe" from web server process "w3wp.exe". Based on the "w3wp.exe" command line it's launching worker process of "SolarWinds Orion Application Pool". The child process were not loading any malicious DLL's.
Kindly let us know if the command line is expected in the server or not
