06/02/2021 07:56:07 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40961 EventType=4 Type=Information ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Start RecordNumber=76717 Keywords=None Message=PowerShell console is starting up 06/02/2021 07:56:08 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=76727 Keywords=None Message=Completed invocation of ScriptBlock ID: 9c0a1120-cf76-4c1e-ad4f-87ff1551b227 Runspace ID: a1d97dfc-fb6c-49e4-a44d-0dc07d35a87f 06/02/2021 07:56:08 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=76726 Keywords=None Message=Started invocation of ScriptBlock ID: 9c0a1120-cf76-4c1e-ad4f-87ff1551b227 Runspace ID: a1d97dfc-fb6c-49e4-a44d-0dc07d35a87f 06/02/2021 07:56:08 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=76725 Keywords=None Message=Creating Scriptblock text (1 of 1): $global:? ScriptBlock ID: 9c0a1120-cf76-4c1e-ad4f-87ff1551b227 Path: 06/02/2021 07:56:08 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=76724 Keywords=None Message=Completed invocation of ScriptBlock ID: 4ed32024-7e82-4044-9eed-745bd7a24b5c Runspace ID: a1d97dfc-fb6c-49e4-a44d-0dc07d35a87f 06/02/2021 07:56:08 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=76723 Keywords=None Message=Completed invocation of ScriptBlock ID: 8ea90b32-5905-4016-a816-b465f0e76a0e Runspace ID: a1d97dfc-fb6c-49e4-a44d-0dc07d35a87f 06/02/2021 07:56:08 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=76722 Keywords=None Message=Started invocation of ScriptBlock ID: 8ea90b32-5905-4016-a816-b465f0e76a0e Runspace ID: a1d97dfc-fb6c-49e4-a44d-0dc07d35a87f 06/02/2021 07:56:08 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=76721 Keywords=None Message=Started invocation of ScriptBlock ID: 4ed32024-7e82-4044-9eed-745bd7a24b5c Runspace ID: a1d97dfc-fb6c-49e4-a44d-0dc07d35a87f 06/02/2021 07:56:08 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=76720 Keywords=None Message=Creating Scriptblock text (1 of 1): Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();} ScriptBlock ID: 4ed32024-7e82-4044-9eed-745bd7a24b5c Path: 06/02/2021 07:56:08 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40962 EventType=4 Type=Information ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Stop RecordNumber=76719 Keywords=None Message=PowerShell console is ready for user input 06/02/2021 07:56:08 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=53504 EventType=4 Type=Information ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=PowerShell Named Pipe IPC OpCode=Open (async) RecordNumber=76718 Keywords=None Message=Windows PowerShell has started an IPC listening thread on process: 5208 in AppDomain: DefaultAppDomain. 06/02/2021 07:59:17 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40962 EventType=4 Type=Information ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Stop RecordNumber=76730 Keywords=None Message=PowerShell console is ready for user input 06/02/2021 07:59:17 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=53504 EventType=4 Type=Information ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=PowerShell Named Pipe IPC OpCode=Open (async) RecordNumber=76729 Keywords=None Message=Windows PowerShell has started an IPC listening thread on process: 2324 in AppDomain: DefaultAppDomain. 06/02/2021 07:59:17 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40961 EventType=4 Type=Information ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Start RecordNumber=76728 Keywords=None Message=PowerShell console is starting up 06/02/2021 07:59:18 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=76738 Keywords=None Message=Completed invocation of ScriptBlock ID: fe041342-75a9-48ac-a236-602ff0a68b48 Runspace ID: f7b847fd-2db1-4a88-b7ab-f791755b7fba 06/02/2021 07:59:18 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=76737 Keywords=None Message=Started invocation of ScriptBlock ID: fe041342-75a9-48ac-a236-602ff0a68b48 Runspace ID: f7b847fd-2db1-4a88-b7ab-f791755b7fba 06/02/2021 07:59:18 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=76736 Keywords=None Message=Creating Scriptblock text (1 of 1): $global:? ScriptBlock ID: fe041342-75a9-48ac-a236-602ff0a68b48 Path: 06/02/2021 07:59:18 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=76735 Keywords=None Message=Completed invocation of ScriptBlock ID: d1c29bd3-daf9-4ddd-8aac-1f34b60216ca Runspace ID: f7b847fd-2db1-4a88-b7ab-f791755b7fba 06/02/2021 07:59:18 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=76734 Keywords=None Message=Completed invocation of ScriptBlock ID: 636c03ca-1a89-4391-bfa6-02270056cb5e Runspace ID: f7b847fd-2db1-4a88-b7ab-f791755b7fba 06/02/2021 07:59:18 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=76733 Keywords=None Message=Started invocation of ScriptBlock ID: 636c03ca-1a89-4391-bfa6-02270056cb5e Runspace ID: f7b847fd-2db1-4a88-b7ab-f791755b7fba 06/02/2021 07:59:18 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=76732 Keywords=None Message=Started invocation of ScriptBlock ID: d1c29bd3-daf9-4ddd-8aac-1f34b60216ca Runspace ID: f7b847fd-2db1-4a88-b7ab-f791755b7fba 06/02/2021 07:59:18 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=76731 Keywords=None Message=Creating Scriptblock text (1 of 1): Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();} ScriptBlock ID: d1c29bd3-daf9-4ddd-8aac-1f34b60216ca Path: 06/02/2021 08:08:30 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=76749 Keywords=None Message=Completed invocation of ScriptBlock ID: dafb36b7-7a59-499c-96b7-5b89ceb5632a Runspace ID: 71c3b8a0-913a-432d-98fd-ec9fe8a62131 06/02/2021 08:08:30 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=76748 Keywords=None Message=Started invocation of ScriptBlock ID: dafb36b7-7a59-499c-96b7-5b89ceb5632a Runspace ID: 71c3b8a0-913a-432d-98fd-ec9fe8a62131 06/02/2021 08:08:30 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=76747 Keywords=None Message=Creating Scriptblock text (1 of 1): $global:? ScriptBlock ID: dafb36b7-7a59-499c-96b7-5b89ceb5632a Path: 06/02/2021 08:08:30 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=76746 Keywords=None Message=Completed invocation of ScriptBlock ID: 6b4eb886-b250-4088-bd7a-30fd7e49dcdc Runspace ID: 71c3b8a0-913a-432d-98fd-ec9fe8a62131 06/02/2021 08:08:30 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=76745 Keywords=None Message=Completed invocation of ScriptBlock ID: 5dbf0285-9e4a-46b2-9956-107f51580377 Runspace ID: 71c3b8a0-913a-432d-98fd-ec9fe8a62131 06/02/2021 08:08:30 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=76744 Keywords=None Message=Started invocation of ScriptBlock ID: 5dbf0285-9e4a-46b2-9956-107f51580377 Runspace ID: 71c3b8a0-913a-432d-98fd-ec9fe8a62131 06/02/2021 08:08:30 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=76743 Keywords=None Message=Started invocation of ScriptBlock ID: 6b4eb886-b250-4088-bd7a-30fd7e49dcdc Runspace ID: 71c3b8a0-913a-432d-98fd-ec9fe8a62131 06/02/2021 08:08:30 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=76742 Keywords=None Message=Creating Scriptblock text (1 of 1): Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();} ScriptBlock ID: 6b4eb886-b250-4088-bd7a-30fd7e49dcdc Path: 06/02/2021 08:08:30 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40962 EventType=4 Type=Information ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Stop RecordNumber=76741 Keywords=None Message=PowerShell console is ready for user input 06/02/2021 08:08:30 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=53504 EventType=4 Type=Information ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=PowerShell Named Pipe IPC OpCode=Open (async) RecordNumber=76740 Keywords=None Message=Windows PowerShell has started an IPC listening thread on process: 4440 in AppDomain: DefaultAppDomain. 06/02/2021 08:08:30 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40961 EventType=4 Type=Information ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Start RecordNumber=76739 Keywords=None Message=PowerShell console is starting up 06/02/2021 08:43:37 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=76756 Keywords=None Message=Completed invocation of ScriptBlock ID: 69e00b9a-ce51-4429-b784-8a8de8e5a428 Runspace ID: 5abdebc6-a5fd-4e59-a62a-0b9e5d58feee 06/02/2021 08:43:37 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=76755 Keywords=None Message=Started invocation of ScriptBlock ID: 69e00b9a-ce51-4429-b784-8a8de8e5a428 Runspace ID: 5abdebc6-a5fd-4e59-a62a-0b9e5d58feee 06/02/2021 08:43:37 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=76754 Keywords=None Message=Started invocation of ScriptBlock ID: cf09cd68-cd00-4663-8027-b401d7c72283 Runspace ID: 5abdebc6-a5fd-4e59-a62a-0b9e5d58feee 06/02/2021 08:43:37 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=76753 Keywords=None Message=Creating Scriptblock text (1 of 1): Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();} ScriptBlock ID: cf09cd68-cd00-4663-8027-b401d7c72283 Path: 06/02/2021 08:43:37 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40962 EventType=4 Type=Information ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Stop RecordNumber=76752 Keywords=None Message=PowerShell console is ready for user input 06/02/2021 08:43:37 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=53504 EventType=4 Type=Information ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=PowerShell Named Pipe IPC OpCode=Open (async) RecordNumber=76751 Keywords=None Message=Windows PowerShell has started an IPC listening thread on process: 224 in AppDomain: DefaultAppDomain. 06/02/2021 08:43:37 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40961 EventType=4 Type=Information ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Start RecordNumber=76750 Keywords=None Message=PowerShell console is starting up 06/02/2021 08:43:38 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=76760 Keywords=None Message=Completed invocation of ScriptBlock ID: 40de8f01-018f-4007-8ddd-7f49e4fefbfd Runspace ID: 5abdebc6-a5fd-4e59-a62a-0b9e5d58feee 06/02/2021 08:43:38 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=76759 Keywords=None Message=Started invocation of ScriptBlock ID: 40de8f01-018f-4007-8ddd-7f49e4fefbfd Runspace ID: 5abdebc6-a5fd-4e59-a62a-0b9e5d58feee 06/02/2021 08:43:38 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=76758 Keywords=None Message=Creating Scriptblock text (1 of 1): $global:? ScriptBlock ID: 40de8f01-018f-4007-8ddd-7f49e4fefbfd Path: 06/02/2021 08:43:38 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=76757 Keywords=None Message=Completed invocation of ScriptBlock ID: cf09cd68-cd00-4663-8027-b401d7c72283 Runspace ID: 5abdebc6-a5fd-4e59-a62a-0b9e5d58feee 06/02/2021 08:50:17 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=76767 Keywords=None Message=Completed invocation of ScriptBlock ID: d6d0649f-0e64-471a-9300-0a7e96a82e5c Runspace ID: 1df1cf6b-9f74-4624-9207-d5200adf50e9 06/02/2021 08:50:17 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=76766 Keywords=None Message=Started invocation of ScriptBlock ID: d6d0649f-0e64-471a-9300-0a7e96a82e5c Runspace ID: 1df1cf6b-9f74-4624-9207-d5200adf50e9 06/02/2021 08:50:17 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=76765 Keywords=None Message=Started invocation of ScriptBlock ID: c1212bea-16a0-4a0b-8b5d-acf76dfd648f Runspace ID: 1df1cf6b-9f74-4624-9207-d5200adf50e9 06/02/2021 08:50:17 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=76764 Keywords=None Message=Creating Scriptblock text (1 of 1): Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();} ScriptBlock ID: c1212bea-16a0-4a0b-8b5d-acf76dfd648f Path: 06/02/2021 08:50:17 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40962 EventType=4 Type=Information ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Stop RecordNumber=76763 Keywords=None Message=PowerShell console is ready for user input 06/02/2021 08:50:17 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=53504 EventType=4 Type=Information ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=PowerShell Named Pipe IPC OpCode=Open (async) RecordNumber=76762 Keywords=None Message=Windows PowerShell has started an IPC listening thread on process: 5444 in AppDomain: DefaultAppDomain. 06/02/2021 08:50:17 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40961 EventType=4 Type=Information ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Start RecordNumber=76761 Keywords=None Message=PowerShell console is starting up 06/02/2021 08:50:18 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=76771 Keywords=None Message=Completed invocation of ScriptBlock ID: a03053ec-8a4a-47e6-a5d4-289b00230e61 Runspace ID: 1df1cf6b-9f74-4624-9207-d5200adf50e9 06/02/2021 08:50:18 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=76770 Keywords=None Message=Started invocation of ScriptBlock ID: a03053ec-8a4a-47e6-a5d4-289b00230e61 Runspace ID: 1df1cf6b-9f74-4624-9207-d5200adf50e9 06/02/2021 08:50:18 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=76769 Keywords=None Message=Creating Scriptblock text (1 of 1): $global:? ScriptBlock ID: a03053ec-8a4a-47e6-a5d4-289b00230e61 Path: 06/02/2021 08:50:18 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-dc-410.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-965514971-3845575757-877711019-500 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=76768 Keywords=None Message=Completed invocation of ScriptBlock ID: c1212bea-16a0-4a0b-8b5d-acf76dfd648f Runspace ID: 1df1cf6b-9f74-4624-9207-d5200adf50e9