{"CommandLine": "rundll32.exe  log.dll,LogInit", "EventCode": "1", "EventData_Xml": "<Data Name='RuleName'>-</Data><Data Name='UtcTime'>2026-02-02 20:26:46.079</Data><Data Name='ProcessGuid'>{05ed74c3-0886-6981-4f90-000000005302}</Data><Data Name='ProcessId'>5628</Data><Data Name='Image'>C:\\Windows\\System32\\rundll32.exe</Data><Data Name='FileVersion'>10.0.20348.3451 (WinBuild.160101.0800)</Data><Data Name='Description'>Windows host process (Rundll32)</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>RUNDLL32.EXE</Data><Data Name='CommandLine'>rundll32.exe  log.dll,LogInit</Data><Data Name='CurrentDirectory'>C:\\Users\\Administrator\\AppData\\Roaming\\Bluetooth\\</Data><Data Name='User'>ATTACKRANGE\\Administrator</Data><Data Name='LogonGuid'>{05ed74c3-b450-697b-1298-200000000000}</Data><Data Name='LogonId'>0x209812</Data><Data Name='TerminalSessionId'>2</Data><Data Name='IntegrityLevel'>High</Data><Data Name='Hashes'>MD5=E7D621DDAB207739772BDEA40E12296E,SHA256=02F6A04B3373F195152FB1B4AEAFE25BF8EF4411DC020C2238C541BCC3DC309B,IMPHASH=5C68DE198B5D2DD5C1129782AD19676C</Data><Data Name='ParentProcessGuid'>{05ed74c3-0886-6981-4e90-000000005302}</Data><Data Name='ParentProcessId'>4432</Data><Data Name='ParentImage'>C:\\Windows\\System32\\cmd.exe</Data><Data Name='ParentCommandLine'>\"C:\\Windows\\system32\\cmd.exe\" /c \"rundll32.exe log.dll,LogInit\"</Data><Data Name='ParentUser'>ATTACKRANGE\\Administrator</Data>", "EventID": "1", "Image": "C:\\Windows\\System32\\rundll32.exe", "System_Props_Xml": "<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2026-02-02T20:26:46.0800804Z'/><EventRecordID>42317</EventRecordID><Correlation/><Execution ProcessID='3200' ThreadID='3868'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/>", "_bkt": "win~0~84569963-7203-40C6-84C0-B281193711B0", "_cd": "0:87710270", "_indextime": "1770064006", "_raw": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2026-02-02T20:26:46.0800804Z'/><EventRecordID>42317</EventRecordID><Correlation/><Execution ProcessID='3200' ThreadID='3868'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2026-02-02 20:26:46.079</Data><Data Name='ProcessGuid'>{05ed74c3-0886-6981-4f90-000000005302}</Data><Data Name='ProcessId'>5628</Data><Data Name='Image'>C:\\Windows\\System32\\rundll32.exe</Data><Data Name='FileVersion'>10.0.20348.3451 (WinBuild.160101.0800)</Data><Data Name='Description'>Windows host process (Rundll32)</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>RUNDLL32.EXE</Data><Data Name='CommandLine'>rundll32.exe  log.dll,LogInit</Data><Data Name='CurrentDirectory'>C:\\Users\\Administrator\\AppData\\Roaming\\Bluetooth\\</Data><Data Name='User'>ATTACKRANGE\\Administrator</Data><Data Name='LogonGuid'>{05ed74c3-b450-697b-1298-200000000000}</Data><Data Name='LogonId'>0x209812</Data><Data Name='TerminalSessionId'>2</Data><Data Name='IntegrityLevel'>High</Data><Data Name='Hashes'>MD5=E7D621DDAB207739772BDEA40E12296E,SHA256=02F6A04B3373F195152FB1B4AEAFE25BF8EF4411DC020C2238C541BCC3DC309B,IMPHASH=5C68DE198B5D2DD5C1129782AD19676C</Data><Data Name='ParentProcessGuid'>{05ed74c3-0886-6981-4e90-000000005302}</Data><Data Name='ParentProcessId'>4432</Data><Data Name='ParentImage'>C:\\Windows\\System32\\cmd.exe</Data><Data Name='ParentCommandLine'>\"C:\\Windows\\system32\\cmd.exe\" /c \"rundll32.exe log.dll,LogInit\"</Data><Data Name='ParentUser'>ATTACKRANGE\\Administrator</Data></EventData></Event>", "_serial": "0", "_si": ["splunk-server", "win"], "_sourcetype": "XmlWinEventLog", "_time": "2026-02-02T20:26:46.000+00:00", "host": "AR-WIN-DC", "index": "win", "linecount": "1", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "XmlWinEventLog", "splunk_server": "splunk-server"}
{"CommandLine": "rundll32.exe  log.dll,LogInit", "EventCode": "1", "EventData_Xml": "<Data Name='RuleName'>-</Data><Data Name='UtcTime'>2026-02-02 20:14:09.803</Data><Data Name='ProcessGuid'>{05ed74c3-0591-6981-c08f-000000005302}</Data><Data Name='ProcessId'>6572</Data><Data Name='Image'>C:\\Windows\\System32\\rundll32.exe</Data><Data Name='FileVersion'>10.0.20348.3451 (WinBuild.160101.0800)</Data><Data Name='Description'>Windows host process (Rundll32)</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>RUNDLL32.EXE</Data><Data Name='CommandLine'>rundll32.exe  log.dll,LogInit</Data><Data Name='CurrentDirectory'>C:\\Users\\Administrator\\AppData\\Roaming\\Bluetooth\\</Data><Data Name='User'>ATTACKRANGE\\Administrator</Data><Data Name='LogonGuid'>{05ed74c3-058c-6981-5675-790700000000}</Data><Data Name='LogonId'>0x7797556</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>High</Data><Data Name='Hashes'>MD5=E7D621DDAB207739772BDEA40E12296E,SHA256=02F6A04B3373F195152FB1B4AEAFE25BF8EF4411DC020C2238C541BCC3DC309B,IMPHASH=5C68DE198B5D2DD5C1129782AD19676C</Data><Data Name='ParentProcessGuid'>{05ed74c3-0591-6981-bf8f-000000005302}</Data><Data Name='ParentProcessId'>1544</Data><Data Name='ParentImage'>C:\\Windows\\System32\\cmd.exe</Data><Data Name='ParentCommandLine'>\"C:\\Windows\\system32\\cmd.exe\" /c \"rundll32.exe log.dll,LogInit\"</Data><Data Name='ParentUser'>ATTACKRANGE\\Administrator</Data>", "EventID": "1", "Image": "C:\\Windows\\System32\\rundll32.exe", "System_Props_Xml": "<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2026-02-02T20:14:09.8040216Z'/><EventRecordID>42170</EventRecordID><Correlation/><Execution ProcessID='3200' ThreadID='3868'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/>", "_bkt": "win~0~84569963-7203-40C6-84C0-B281193711B0", "_cd": "0:23808175", "_indextime": "1770063251", "_raw": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2026-02-02T20:14:09.8040216Z'/><EventRecordID>42170</EventRecordID><Correlation/><Execution ProcessID='3200' ThreadID='3868'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2026-02-02 20:14:09.803</Data><Data Name='ProcessGuid'>{05ed74c3-0591-6981-c08f-000000005302}</Data><Data Name='ProcessId'>6572</Data><Data Name='Image'>C:\\Windows\\System32\\rundll32.exe</Data><Data Name='FileVersion'>10.0.20348.3451 (WinBuild.160101.0800)</Data><Data Name='Description'>Windows host process (Rundll32)</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>RUNDLL32.EXE</Data><Data Name='CommandLine'>rundll32.exe  log.dll,LogInit</Data><Data Name='CurrentDirectory'>C:\\Users\\Administrator\\AppData\\Roaming\\Bluetooth\\</Data><Data Name='User'>ATTACKRANGE\\Administrator</Data><Data Name='LogonGuid'>{05ed74c3-058c-6981-5675-790700000000}</Data><Data Name='LogonId'>0x7797556</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>High</Data><Data Name='Hashes'>MD5=E7D621DDAB207739772BDEA40E12296E,SHA256=02F6A04B3373F195152FB1B4AEAFE25BF8EF4411DC020C2238C541BCC3DC309B,IMPHASH=5C68DE198B5D2DD5C1129782AD19676C</Data><Data Name='ParentProcessGuid'>{05ed74c3-0591-6981-bf8f-000000005302}</Data><Data Name='ParentProcessId'>1544</Data><Data Name='ParentImage'>C:\\Windows\\System32\\cmd.exe</Data><Data Name='ParentCommandLine'>\"C:\\Windows\\system32\\cmd.exe\" /c \"rundll32.exe log.dll,LogInit\"</Data><Data Name='ParentUser'>ATTACKRANGE\\Administrator</Data></EventData></Event>", "_serial": "1", "_si": ["splunk-server", "win"], "_sourcetype": "XmlWinEventLog", "_time": "2026-02-02T20:14:09.000+00:00", "host": "AR-WIN-DC", "index": "win", "linecount": "1", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "XmlWinEventLog", "splunk_server": "splunk-server"}