11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=639384 Keywords=None Message=Completed invocation of ScriptBlock ID: a7ae7843-15c3-4703-bc59-8154f327a969 Runspace ID: 3501daeb-9a17-41c9-be73-56afc9bde34a 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=639383 Keywords=None Message=Started invocation of ScriptBlock ID: a7ae7843-15c3-4703-bc59-8154f327a969 Runspace ID: 3501daeb-9a17-41c9-be73-56afc9bde34a 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=639382 Keywords=None Message=Creating Scriptblock text (1 of 1): $global:? ScriptBlock ID: a7ae7843-15c3-4703-bc59-8154f327a969 Path: 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=639381 Keywords=None Message=Completed invocation of ScriptBlock ID: 7999a450-0f17-4cd1-bbed-28d85aa0f1d8 Runspace ID: 3501daeb-9a17-41c9-be73-56afc9bde34a 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=8197 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Connect OpCode=Open (async) RecordNumber=639380 Keywords=None Message=Runspace state changed to Closed 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=8197 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Connect OpCode=Open (async) RecordNumber=639379 Keywords=None Message=Runspace state changed to Closing 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=12039 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=None OpCode=To be used when operation is just executing a method RecordNumber=639378 Keywords=None Message=Modifying activity Id and correlating 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=8196 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=None OpCode=To be used when operation is just executing a method RecordNumber=639377 Keywords=None Message=Modifying activity Id and correlating 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=12039 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=None OpCode=To be used when operation is just executing a method RecordNumber=639376 Keywords=None Message=Modifying activity Id and correlating 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=8196 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=None OpCode=To be used when operation is just executing a method RecordNumber=639375 Keywords=None Message=Modifying activity Id and correlating 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=8197 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Connect OpCode=Open (async) RecordNumber=639374 Keywords=None Message=Runspace state changed to Opened 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=12039 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=None OpCode=To be used when operation is just executing a method RecordNumber=639373 Keywords=None Message=Modifying activity Id and correlating 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=8196 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=None OpCode=To be used when operation is just executing a method RecordNumber=639372 Keywords=None Message=Modifying activity Id and correlating 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=12039 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=None OpCode=To be used when operation is just executing a method RecordNumber=639371 Keywords=None Message=Modifying activity Id and correlating 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=8196 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=None OpCode=To be used when operation is just executing a method RecordNumber=639370 Keywords=None Message=Modifying activity Id and correlating 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=12039 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=None OpCode=To be used when operation is just executing a method RecordNumber=639369 Keywords=None Message=Modifying activity Id and correlating 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=8196 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=None OpCode=To be used when operation is just executing a method RecordNumber=639368 Keywords=None Message=Modifying activity Id and correlating 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=8197 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Connect OpCode=Open (async) RecordNumber=639367 Keywords=None Message=Runspace state changed to Opening 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=8195 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Connect OpCode=Open (async) RecordNumber=639366 Keywords=None Message=Opening RunspacePool 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=8194 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Connect OpCode=to be used when an object is constructed RecordNumber=639365 Keywords=None Message=Creating RunspacePool object InstanceId 61108566-66ff-4a3a-9623-1e561ed82916 MinRunspaces 1 MaxRunspaces 1 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=8193 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Connect OpCode=to be used when an object is constructed RecordNumber=639364 Keywords=None Message=Creating Runspace object Instance Id: 03262fa6-930a-499f-ab9a-c51f01b36c12 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=639363 Keywords=None Message=Started invocation of ScriptBlock ID: 7999a450-0f17-4cd1-bbed-28d85aa0f1d8 Runspace ID: 3501daeb-9a17-41c9-be73-56afc9bde34a 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=639362 Keywords=None Message=Creating Scriptblock text (1 of 1): Invoke-Command -ComputerName win-host-987.attackrange.local -ScriptBlock {ipconfig} ScriptBlock ID: 7999a450-0f17-4cd1-bbed-28d85aa0f1d8 Path: 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40962 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Stop RecordNumber=639361 Keywords=None Message=PowerShell console is ready for user input 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=53504 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=PowerShell Named Pipe IPC OpCode=Open (async) RecordNumber=639360 Keywords=None Message=Windows PowerShell has started an IPC listening thread on process: 5348 in AppDomain: DefaultAppDomain. 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40961 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Start RecordNumber=639359 Keywords=None Message=PowerShell console is starting up 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12101101 Keywords=None Message=Completed invocation of ScriptBlock ID: 412ba569-3be1-4498-ac29-63e12d11a0cb Runspace ID: db3777d1-19ee-4ff4-8e93-3d35f32bd9d3 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12101100 Keywords=None Message=Started invocation of ScriptBlock ID: 412ba569-3be1-4498-ac29-63e12d11a0cb Runspace ID: db3777d1-19ee-4ff4-8e93-3d35f32bd9d3 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12101099 Keywords=None Message=Completed invocation of ScriptBlock ID: be0d8560-69e0-498c-8b01-90e8d9628cb8 Runspace ID: db3777d1-19ee-4ff4-8e93-3d35f32bd9d3 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12101098 Keywords=None Message=Started invocation of ScriptBlock ID: be0d8560-69e0-498c-8b01-90e8d9628cb8 Runspace ID: db3777d1-19ee-4ff4-8e93-3d35f32bd9d3 11/16/2021 10:29:35 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=53504 EventType=4 Type=Information ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=PowerShell Named Pipe IPC OpCode=Open (async) RecordNumber=12101097 Keywords=None Message=Windows PowerShell has started an IPC listening thread on process: 344 in AppDomain: DefaultAppDomain.