{"CommandLine": "\"C:\\ProgramData\\USOShared\\svchost.exe\" -nostdlib -run conf.c", "EventCode": "1", "EventData_Xml": "<Data Name='RuleName'>-</Data><Data Name='UtcTime'>2026-02-02 22:28:05.802</Data><Data Name='ProcessGuid'>{05ed74c3-24f5-6981-ef92-000000005302}</Data><Data Name='ProcessId'>8968</Data><Data Name='Image'>C:\\ProgramData\\USOShared\\svchost.exe</Data><Data Name='FileVersion'>10.0.20348.4647 (WinBuild.160101.0800)</Data><Data Name='Description'>Windows Command Processor</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>Cmd.Exe</Data><Data Name='CommandLine'>\"C:\\ProgramData\\USOShared\\svchost.exe\" -nostdlib -run conf.c </Data><Data Name='CurrentDirectory'>C:\\Users\\Administrator\\</Data><Data Name='User'>ATTACKRANGE\\Administrator</Data><Data Name='LogonGuid'>{05ed74c3-b450-697b-1298-200000000000}</Data><Data Name='LogonId'>0x209812</Data><Data Name='TerminalSessionId'>2</Data><Data Name='IntegrityLevel'>High</Data><Data Name='Hashes'>MD5=F63068E624FE6B82058AAAA671D4BC96,SHA256=90D120880614E1E2A94067BAAD1454B09E2BE7A9DA51B71E33C247077D9F9538,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C</Data><Data Name='ParentProcessGuid'>{05ed74c3-24f4-6981-eb92-000000005302}</Data><Data Name='ParentProcessId'>9844</Data><Data Name='ParentImage'>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</Data><Data Name='ParentCommandLine'>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" </Data><Data Name='ParentUser'>ATTACKRANGE\\Administrator</Data>", "EventID": "1", "Image": "C:\\ProgramData\\USOShared\\svchost.exe", "System_Props_Xml": "<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2026-02-02T22:28:05.8071975Z'/><EventRecordID>43009</EventRecordID><Correlation/><Execution ProcessID='3200' ThreadID='3868'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/>", "_bkt": "win~2~84569963-7203-40C6-84C0-B281193711B0", "_cd": "2:204952332", "_indextime": "1770071286", "_raw": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2026-02-02T22:28:05.8071975Z'/><EventRecordID>43009</EventRecordID><Correlation/><Execution ProcessID='3200' ThreadID='3868'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2026-02-02 22:28:05.802</Data><Data Name='ProcessGuid'>{05ed74c3-24f5-6981-ef92-000000005302}</Data><Data Name='ProcessId'>8968</Data><Data Name='Image'>C:\\ProgramData\\USOShared\\svchost.exe</Data><Data Name='FileVersion'>10.0.20348.4647 (WinBuild.160101.0800)</Data><Data Name='Description'>Windows Command Processor</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>Cmd.Exe</Data><Data Name='CommandLine'>\"C:\\ProgramData\\USOShared\\svchost.exe\" -nostdlib -run conf.c </Data><Data Name='CurrentDirectory'>C:\\Users\\Administrator\\</Data><Data Name='User'>ATTACKRANGE\\Administrator</Data><Data Name='LogonGuid'>{05ed74c3-b450-697b-1298-200000000000}</Data><Data Name='LogonId'>0x209812</Data><Data Name='TerminalSessionId'>2</Data><Data Name='IntegrityLevel'>High</Data><Data Name='Hashes'>MD5=F63068E624FE6B82058AAAA671D4BC96,SHA256=90D120880614E1E2A94067BAAD1454B09E2BE7A9DA51B71E33C247077D9F9538,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C</Data><Data Name='ParentProcessGuid'>{05ed74c3-24f4-6981-eb92-000000005302}</Data><Data Name='ParentProcessId'>9844</Data><Data Name='ParentImage'>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</Data><Data Name='ParentCommandLine'>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" </Data><Data Name='ParentUser'>ATTACKRANGE\\Administrator</Data></EventData></Event>", "_serial": "0", "_si": ["splunk-server", "win"], "_sourcetype": "XmlWinEventLog", "_time": "2026-02-02T22:28:05.000+00:00", "host": "AR-WIN-DC", "index": "win", "linecount": "1", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "XmlWinEventLog", "splunk_server": "splunk-server"}