11/15/2021 07:40:00 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40961 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Start RecordNumber=639022 Keywords=None Message=PowerShell console is starting up 11/15/2021 07:40:01 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=639032 Keywords=None Message=Completed invocation of ScriptBlock ID: 39d5f733-3f88-4af1-99b2-fdd2cc1c01c9 Runspace ID: c11f0757-8cec-4174-bbe4-d754649cd2a3 11/15/2021 07:40:01 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=639031 Keywords=None Message=Started invocation of ScriptBlock ID: 39d5f733-3f88-4af1-99b2-fdd2cc1c01c9 Runspace ID: c11f0757-8cec-4174-bbe4-d754649cd2a3 11/15/2021 07:40:01 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=639030 Keywords=None Message=Creating Scriptblock text (1 of 1): $global:? ScriptBlock ID: 39d5f733-3f88-4af1-99b2-fdd2cc1c01c9 Path: 11/15/2021 07:40:01 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=639029 Keywords=None Message=Completed invocation of ScriptBlock ID: 84462daf-13f7-4392-b999-ca9e10376b56 Runspace ID: c11f0757-8cec-4174-bbe4-d754649cd2a3 11/15/2021 07:40:01 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=639028 Keywords=None Message=Completed invocation of ScriptBlock ID: cf58e017-9d95-4f09-9972-f2a6471ec938 Runspace ID: c11f0757-8cec-4174-bbe4-d754649cd2a3 11/15/2021 07:40:01 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=639027 Keywords=None Message=Started invocation of ScriptBlock ID: cf58e017-9d95-4f09-9972-f2a6471ec938 Runspace ID: c11f0757-8cec-4174-bbe4-d754649cd2a3 11/15/2021 07:40:01 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=639026 Keywords=None Message=Started invocation of ScriptBlock ID: 84462daf-13f7-4392-b999-ca9e10376b56 Runspace ID: c11f0757-8cec-4174-bbe4-d754649cd2a3 11/15/2021 07:40:01 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=639025 Keywords=None Message=Creating Scriptblock text (1 of 1): Invoke-WmiMethod -CN 10.0.1.15 -Class Win32_Process -Name create -ArgumentList C:\met.exe ScriptBlock ID: 84462daf-13f7-4392-b999-ca9e10376b56 Path: 11/15/2021 07:40:01 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40962 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Stop RecordNumber=639024 Keywords=None Message=PowerShell console is ready for user input 11/15/2021 07:40:01 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=53504 EventType=4 Type=Information ComputerName=win-dc-128.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-500 SidType=0 TaskCategory=PowerShell Named Pipe IPC OpCode=Open (async) RecordNumber=639023 Keywords=None Message=Windows PowerShell has started an IPC listening thread on process: 1852 in AppDomain: DefaultAppDomain.