{ "PayloadData1": "HostApplication=powershell.exe -NoProfile -Command exit\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=f7c5944d-19f7-40f5-b952-3d8c6a3c4bad\\n\\tHostApplication=powershell.exe -NoProfile -Command exit\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "1", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-15T14:05:52.6065781+00:00", "RecordNumber": 1 } { "PayloadData1": "HostApplication=powershell.exe -NoProfile -Command exit\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=f7c5944d-19f7-40f5-b952-3d8c6a3c4bad\\n\\tHostApplication=powershell.exe -NoProfile -Command exit\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "2", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-15T14:05:52.6183740+00:00", "RecordNumber": 2 } { "PayloadData1": "HostApplication=powershell.exe -NoProfile -Command exit\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=f7c5944d-19f7-40f5-b952-3d8c6a3c4bad\\n\\tHostApplication=powershell.exe -NoProfile -Command exit\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "3", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-15T14:05:52.6217698+00:00", "RecordNumber": 3 } { "PayloadData1": "HostApplication=powershell.exe -NoProfile -Command exit\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=f7c5944d-19f7-40f5-b952-3d8c6a3c4bad\\n\\tHostApplication=powershell.exe -NoProfile -Command exit\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "4", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-15T14:05:52.6534943+00:00", "RecordNumber": 4 } { "PayloadData1": "HostApplication=powershell.exe -NoProfile -Command exit\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=f7c5944d-19f7-40f5-b952-3d8c6a3c4bad\\n\\tHostApplication=powershell.exe -NoProfile -Command exit\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "5", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-15T14:05:52.6534943+00:00", "RecordNumber": 5 } { "PayloadData1": "HostApplication=powershell.exe -NoProfile -Command exit\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=f7c5944d-19f7-40f5-b952-3d8c6a3c4bad\\n\\tHostApplication=powershell.exe -NoProfile -Command exit\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "6", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-15T14:05:52.6676330+00:00", "RecordNumber": 6 } { "PayloadData1": "HostApplication=powershell.exe -NoProfile -Command exit\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=f7c5944d-19f7-40f5-b952-3d8c6a3c4bad\\n\\tHostApplication=powershell.exe -NoProfile -Command exit\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=ce909717-7a12-483e-aad3-3e15c931e49d\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "7", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-15T14:05:52.8956182+00:00", "RecordNumber": 7 } { "PayloadData1": "HostApplication=powershell.exe -NoProfile -Command exit\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=f7c5944d-19f7-40f5-b952-3d8c6a3c4bad\\n\\tHostApplication=powershell.exe -NoProfile -Command exit\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=ce909717-7a12-483e-aad3-3e15c931e49d\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "8", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-15T14:05:53.3879513+00:00", "RecordNumber": 8 } { "PayloadData1": "HostApplication=powershell.exe -NoProfile -Command (Get-Content 'C:\\Program Files\\ScadaBR\\tomcat\\conf\\server.xml') | Foreach-Object {$_ -replace '<tomcat-port>', '8080'} | Set-Content 'C:\\Program Files\\ScadaBR\\tomcat\\conf\\server.xml'\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=c113a646-5cc2-4979-81e6-694ddb457e5e\\n\\tHostApplication=powershell.exe -NoProfile -Command (Get-Content 'C:\\\\Program Files\\\\ScadaBR\\\\tomcat\\\\conf\\\\server.xml') | Foreach-Object {$_ -replace '<tomcat-port>', '8080'} | Set-Content 'C:\\\\Program Files\\\\ScadaBR\\\\tomcat\\\\conf\\\\server.xml'\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "9", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-15T14:06:05.4825385+00:00", "RecordNumber": 9 } { "PayloadData1": "HostApplication=powershell.exe -NoProfile -Command (Get-Content 'C:\\Program Files\\ScadaBR\\tomcat\\conf\\server.xml') | Foreach-Object {$_ -replace '<tomcat-port>', '8080'} | Set-Content 'C:\\Program Files\\ScadaBR\\tomcat\\conf\\server.xml'\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=c113a646-5cc2-4979-81e6-694ddb457e5e\\n\\tHostApplication=powershell.exe -NoProfile -Command (Get-Content 'C:\\\\Program Files\\\\ScadaBR\\\\tomcat\\\\conf\\\\server.xml') | Foreach-Object {$_ -replace '<tomcat-port>', '8080'} | Set-Content 'C:\\\\Program Files\\\\ScadaBR\\\\tomcat\\\\conf\\\\server.xml'\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "10", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-15T14:06:05.4885789+00:00", "RecordNumber": 10 } { "PayloadData1": "HostApplication=powershell.exe -NoProfile -Command (Get-Content 'C:\\Program Files\\ScadaBR\\tomcat\\conf\\server.xml') | Foreach-Object {$_ -replace '<tomcat-port>', '8080'} | Set-Content 'C:\\Program Files\\ScadaBR\\tomcat\\conf\\server.xml'\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=c113a646-5cc2-4979-81e6-694ddb457e5e\\n\\tHostApplication=powershell.exe -NoProfile -Command (Get-Content 'C:\\\\Program Files\\\\ScadaBR\\\\tomcat\\\\conf\\\\server.xml') | Foreach-Object {$_ -replace '<tomcat-port>', '8080'} | Set-Content 'C:\\\\Program Files\\\\ScadaBR\\\\tomcat\\\\conf\\\\server.xml'\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "11", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-15T14:06:05.4885789+00:00", "RecordNumber": 11 } { "PayloadData1": "HostApplication=powershell.exe -NoProfile -Command (Get-Content 'C:\\Program Files\\ScadaBR\\tomcat\\conf\\server.xml') | Foreach-Object {$_ -replace '<tomcat-port>', '8080'} | Set-Content 'C:\\Program Files\\ScadaBR\\tomcat\\conf\\server.xml'\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=c113a646-5cc2-4979-81e6-694ddb457e5e\\n\\tHostApplication=powershell.exe -NoProfile -Command (Get-Content 'C:\\\\Program Files\\\\ScadaBR\\\\tomcat\\\\conf\\\\server.xml') | Foreach-Object {$_ -replace '<tomcat-port>', '8080'} | Set-Content 'C:\\\\Program Files\\\\ScadaBR\\\\tomcat\\\\conf\\\\server.xml'\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "12", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-15T14:06:05.5290044+00:00", "RecordNumber": 12 } { "PayloadData1": "HostApplication=powershell.exe -NoProfile -Command (Get-Content 'C:\\Program Files\\ScadaBR\\tomcat\\conf\\server.xml') | Foreach-Object {$_ -replace '<tomcat-port>', '8080'} | Set-Content 'C:\\Program Files\\ScadaBR\\tomcat\\conf\\server.xml'\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=c113a646-5cc2-4979-81e6-694ddb457e5e\\n\\tHostApplication=powershell.exe -NoProfile -Command (Get-Content 'C:\\\\Program Files\\\\ScadaBR\\\\tomcat\\\\conf\\\\server.xml') | Foreach-Object {$_ -replace '<tomcat-port>', '8080'} | Set-Content 'C:\\\\Program Files\\\\ScadaBR\\\\tomcat\\\\conf\\\\server.xml'\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "13", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-15T14:06:05.5290044+00:00", "RecordNumber": 13 } { "PayloadData1": "HostApplication=powershell.exe -NoProfile -Command (Get-Content 'C:\\Program Files\\ScadaBR\\tomcat\\conf\\server.xml') | Foreach-Object {$_ -replace '<tomcat-port>', '8080'} | Set-Content 'C:\\Program Files\\ScadaBR\\tomcat\\conf\\server.xml'\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=c113a646-5cc2-4979-81e6-694ddb457e5e\\n\\tHostApplication=powershell.exe -NoProfile -Command (Get-Content 'C:\\\\Program Files\\\\ScadaBR\\\\tomcat\\\\conf\\\\server.xml') | Foreach-Object {$_ -replace '<tomcat-port>', '8080'} | Set-Content 'C:\\\\Program Files\\\\ScadaBR\\\\tomcat\\\\conf\\\\server.xml'\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "14", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-15T14:06:05.5382080+00:00", "RecordNumber": 14 } { "PayloadData1": "HostApplication=powershell.exe -NoProfile -Command (Get-Content 'C:\\Program Files\\ScadaBR\\tomcat\\conf\\server.xml') | Foreach-Object {$_ -replace '<tomcat-port>', '8080'} | Set-Content 'C:\\Program Files\\ScadaBR\\tomcat\\conf\\server.xml'\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=c113a646-5cc2-4979-81e6-694ddb457e5e\\n\\tHostApplication=powershell.exe -NoProfile -Command (Get-Content 'C:\\\\Program Files\\\\ScadaBR\\\\tomcat\\\\conf\\\\server.xml') | Foreach-Object {$_ -replace '<tomcat-port>', '8080'} | Set-Content 'C:\\\\Program Files\\\\ScadaBR\\\\tomcat\\\\conf\\\\server.xml'\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=131e5237-9ac1-462d-abbf-96575d494065\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "15", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-15T14:06:05.8422869+00:00", "RecordNumber": 15 } { "PayloadData1": "HostApplication=powershell.exe -NoProfile -Command (Get-Content 'C:\\Program Files\\ScadaBR\\tomcat\\conf\\server.xml') | Foreach-Object {$_ -replace '<tomcat-port>', '8080'} | Set-Content 'C:\\Program Files\\ScadaBR\\tomcat\\conf\\server.xml'\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=c113a646-5cc2-4979-81e6-694ddb457e5e\\n\\tHostApplication=powershell.exe -NoProfile -Command (Get-Content 'C:\\\\Program Files\\\\ScadaBR\\\\tomcat\\\\conf\\\\server.xml') | Foreach-Object {$_ -replace '<tomcat-port>', '8080'} | Set-Content 'C:\\\\Program Files\\\\ScadaBR\\\\tomcat\\\\conf\\\\server.xml'\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=131e5237-9ac1-462d-abbf-96575d494065\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "16", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-15T14:06:07.5154809+00:00", "RecordNumber": 16 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=86ae1f05-ba62-47ff-b103-5760ecb2c843\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "17", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T14:22:46.6918115+00:00", "RecordNumber": 17 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=86ae1f05-ba62-47ff-b103-5760ecb2c843\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "18", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T14:22:46.6930509+00:00", "RecordNumber": 18 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=86ae1f05-ba62-47ff-b103-5760ecb2c843\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "19", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T14:22:46.6940754+00:00", "RecordNumber": 19 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=86ae1f05-ba62-47ff-b103-5760ecb2c843\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "20", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T14:22:46.6963008+00:00", "RecordNumber": 20 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=86ae1f05-ba62-47ff-b103-5760ecb2c843\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "21", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T14:22:46.6963008+00:00", "RecordNumber": 21 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=86ae1f05-ba62-47ff-b103-5760ecb2c843\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "22", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T14:22:46.6963008+00:00", "RecordNumber": 22 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=86ae1f05-ba62-47ff-b103-5760ecb2c843\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=175145d9-ebf3-4e40-895b-29ff1ac43639\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "23", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T14:22:46.7510372+00:00", "RecordNumber": 23 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=86ae1f05-ba62-47ff-b103-5760ecb2c843\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=175145d9-ebf3-4e40-895b-29ff1ac43639\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "24", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T14:22:48.1413240+00:00", "RecordNumber": 24 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=e82e05a1-106c-4928-994c-e6f8a7066f25\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "25", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T14:22:49.8269806+00:00", "RecordNumber": 25 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=e82e05a1-106c-4928-994c-e6f8a7066f25\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "26", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T14:22:49.8278246+00:00", "RecordNumber": 26 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=e82e05a1-106c-4928-994c-e6f8a7066f25\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "27", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T14:22:49.8289289+00:00", "RecordNumber": 27 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=e82e05a1-106c-4928-994c-e6f8a7066f25\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "28", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T14:22:49.8308297+00:00", "RecordNumber": 28 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=e82e05a1-106c-4928-994c-e6f8a7066f25\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "29", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T14:22:49.8308297+00:00", "RecordNumber": 29 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=e82e05a1-106c-4928-994c-e6f8a7066f25\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "30", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T14:22:49.8308297+00:00", "RecordNumber": 30 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=e82e05a1-106c-4928-994c-e6f8a7066f25\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=c47d46dc-49d2-4808-af71-2bb23dc5859e\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "31", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T14:22:49.8354223+00:00", "RecordNumber": 31 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=e82e05a1-106c-4928-994c-e6f8a7066f25\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=c47d46dc-49d2-4808-af71-2bb23dc5859e\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "32", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T14:22:50.2420030+00:00", "RecordNumber": 32 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=7855adb3-5cc0-4dba-9546-610c385fbad4\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "33", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T21:44:49.6337062+00:00", "RecordNumber": 33 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=7855adb3-5cc0-4dba-9546-610c385fbad4\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "34", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T21:44:49.6408741+00:00", "RecordNumber": 34 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=7855adb3-5cc0-4dba-9546-610c385fbad4\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "35", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T21:44:49.6418788+00:00", "RecordNumber": 35 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=7855adb3-5cc0-4dba-9546-610c385fbad4\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "36", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T21:44:49.6487634+00:00", "RecordNumber": 36 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=7855adb3-5cc0-4dba-9546-610c385fbad4\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "37", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T21:44:49.6487634+00:00", "RecordNumber": 37 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=7855adb3-5cc0-4dba-9546-610c385fbad4\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "38", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T21:44:49.6487634+00:00", "RecordNumber": 38 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=7855adb3-5cc0-4dba-9546-610c385fbad4\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=e8a2ab8f-1083-4aad-bd6b-131b24219f5c\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "39", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-16T21:44:49.7771808+00:00", "RecordNumber": 39 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=887b085c-56a6-46a2-b953-643980aad6b9\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "40", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T02:59:42.1635257+00:00", "RecordNumber": 40 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 0, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=887b085c-56a6-46a2-b953-643980aad6b9\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "41", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T02:59:42.1635257+00:00", "RecordNumber": 41 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=887b085c-56a6-46a2-b953-643980aad6b9\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "42", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T02:59:42.1672549+00:00", "RecordNumber": 42 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=887b085c-56a6-46a2-b953-643980aad6b9\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "43", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T02:59:42.1773397+00:00", "RecordNumber": 43 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=887b085c-56a6-46a2-b953-643980aad6b9\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "44", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T02:59:42.1773397+00:00", "RecordNumber": 44 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=887b085c-56a6-46a2-b953-643980aad6b9\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "45", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T02:59:42.1773397+00:00", "RecordNumber": 45 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=887b085c-56a6-46a2-b953-643980aad6b9\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=ec98e098-0c0f-4c9d-afdc-fbeafe0fd5e0\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "46", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T02:59:42.3726766+00:00", "RecordNumber": 46 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=9cbc9c85-221c-40e9-bdbe-59769c07ee36\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "47", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T02:59:45.7963338+00:00", "RecordNumber": 47 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=9cbc9c85-221c-40e9-bdbe-59769c07ee36\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "48", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T02:59:45.7963338+00:00", "RecordNumber": 48 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=9cbc9c85-221c-40e9-bdbe-59769c07ee36\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "49", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T02:59:45.7963338+00:00", "RecordNumber": 49 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=9cbc9c85-221c-40e9-bdbe-59769c07ee36\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "50", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T02:59:45.7963338+00:00", "RecordNumber": 50 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=9cbc9c85-221c-40e9-bdbe-59769c07ee36\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "51", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T02:59:45.7963338+00:00", "RecordNumber": 51 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=9cbc9c85-221c-40e9-bdbe-59769c07ee36\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "52", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T02:59:45.7963338+00:00", "RecordNumber": 52 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=9cbc9c85-221c-40e9-bdbe-59769c07ee36\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=b3d0292e-7087-415b-bf48-88def0f5330d\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "53", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T02:59:45.8454748+00:00", "RecordNumber": 53 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=887b085c-56a6-46a2-b953-643980aad6b9\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=ec98e098-0c0f-4c9d-afdc-fbeafe0fd5e0\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "54", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T02:59:46.2427784+00:00", "RecordNumber": 54 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=9cbc9c85-221c-40e9-bdbe-59769c07ee36\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=b3d0292e-7087-415b-bf48-88def0f5330d\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "55", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T02:59:46.5426524+00:00", "RecordNumber": 55 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=9cb7deaf-e3f3-471d-be90-100baf32235f\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "56", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T12:12:04.2422193+00:00", "RecordNumber": 56 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restriced -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=9cb7deaf-e3f3-471d-be90-100baf32235f\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "57", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T12:12:04.2476883+00:00", "RecordNumber": 57 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=9cb7deaf-e3f3-471d-be90-100baf32235f\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "58", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T12:12:04.2476883+00:00", "RecordNumber": 58 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=9cb7deaf-e3f3-471d-be90-100baf32235f\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "59", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T12:12:04.2476883+00:00", "RecordNumber": 59 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=9cb7deaf-e3f3-471d-be90-100baf32235f\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "60", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T12:12:04.2476883+00:00", "RecordNumber": 60 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=9cb7deaf-e3f3-471d-be90-100baf32235f\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "61", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T12:12:04.2476883+00:00", "RecordNumber": 61 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=9cb7deaf-e3f3-471d-be90-100baf32235f\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=1de2cab4-5175-4f5d-8c0a-d456597cc148\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "62", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T12:12:04.3343345+00:00", "RecordNumber": 62 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=9cb7deaf-e3f3-471d-be90-100baf32235f\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=1de2cab4-5175-4f5d-8c0a-d456597cc148\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "63", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T12:12:06.0541181+00:00", "RecordNumber": 63 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=87a30160-ab0d-433e-aed1-f364abb35d44\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "64", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T12:12:08.0320112+00:00", "RecordNumber": 64 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=87a30160-ab0d-433e-aed1-f364abb35d44\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "65", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T12:12:08.0320112+00:00", "RecordNumber": 65 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=87a30160-ab0d-433e-aed1-f364abb35d44\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "66", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T12:12:08.0320112+00:00", "RecordNumber": 66 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=87a30160-ab0d-433e-aed1-f364abb35d44\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "67", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T12:12:08.0333731+00:00", "RecordNumber": 67 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=87a30160-ab0d-433e-aed1-f364abb35d44\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "68", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T12:12:08.0345277+00:00", "RecordNumber": 68 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=87a30160-ab0d-433e-aed1-f364abb35d44\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "69", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T12:12:08.0345277+00:00", "RecordNumber": 69 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=87a30160-ab0d-433e-aed1-f364abb35d44\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=50a9386d-f185-42de-a80d-7a6971b35d21\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "70", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T12:12:08.0367389+00:00", "RecordNumber": 70 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=87a30160-ab0d-433e-aed1-f364abb35d44\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=50a9386d-f185-42de-a80d-7a6971b35d21\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "71", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T12:12:08.4211840+00:00", "RecordNumber": 71 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=96f87e43-b69e-4b6d-a1d5-a1acc2bc5ea6\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "72", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T13:02:03.8267636+00:00", "RecordNumber": 72 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=96f87e43-b69e-4b6d-a1d5-a1acc2bc5ea6\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "73", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T13:02:03.8422750+00:00", "RecordNumber": 73 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=96f87e43-b69e-4b6d-a1d5-a1acc2bc5ea6\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "74", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T13:02:03.9097778+00:00", "RecordNumber": 74 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 1, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=96f87e43-b69e-4b6d-a1d5-a1acc2bc5ea6\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=32801acd-27b7-4816-a718-7fbe3c8777b9\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "75", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T13:02:04.2789951+00:00", "RecordNumber": 75 } { "PayloadData1": "HostApplication=powershell -command $ExclusionType;$ExclusionFile = 'ExterroExclusions.txt';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.StartsWith('#'))) { if ($ExclusionType -eq '-Folder') { Add-MpPreference -ExclusionPath $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-FileType') { Add-MpPreference -ExclusionExtension $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-Process') { Add-MpPreference -ExclusionProcess $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } } } }}else{ Write-Host Did not find exclusion file $ExclusionFile; Return;}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=29293460-4b52-46de-be57-3cc141fd2618\\n\\tHostApplication=powershell -command $ExclusionType;$ExclusionFile = 'ExterroExclusions.txt';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.StartsWith('#'))) { if ($ExclusionType -eq '-Folder') { Add-MpPreference -ExclusionPath $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-FileType') { Add-MpPreference -ExclusionExtension $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-Process') { Add-MpPreference -ExclusionProcess $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } } } }}else{ Write-Host Did not find exclusion file $ExclusionFile; Return;}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "76", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T13:15:44.1204192+00:00", "RecordNumber": 76 } { "PayloadData1": "HostApplication=powershell -command $ExclusionType;$ExclusionFile = 'ExterroExclusions.txt';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.StartsWith('#'))) { if ($ExclusionType -eq '-Folder') { Add-MpPreference -ExclusionPath $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-FileType') { Add-MpPreference -ExclusionExtension $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-Process') { Add-MpPreference -ExclusionProcess $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } } } }}else{ Write-Host Did not find exclusion file $ExclusionFile; Return;}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3773\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3773\\n\\tHostId=29293460-4b52-46de-be57-3cc141fd2618\\n\\tHostApplication=powershell -command $ExclusionType;$ExclusionFile = 'ExterroExclusions.txt';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.StartsWith('#'))) { if ($ExclusionType -eq '-Folder') { Add-MpPreference -ExclusionPath $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-FileType') { Add-MpPreference -ExclusionExtension $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-Process') { Add-MpPreference -ExclusionProcess $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } } } }}else{ Write-Host Did not find exclusion file $ExclusionFile; Return;}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "77", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x77000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T13:15:44.2416806+00:00", "RecordNumber": 77 } { "PayloadData1": "HostApplication=powershell -command $ExclusionType;$ExclusionFile = 'ExterroExclusions.txt';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.StartsWith('#'))) { if ($ExclusionType -eq '-Folder') { Add-MpPreference -ExclusionPath $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-FileType') { Add-MpPreference -ExclusionExtension $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-Process') { Add-MpPreference -ExclusionProcess $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } } } }}else{ Write-Host Did not find exclusion file $ExclusionFile; Return;}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=29293460-4b52-46de-be57-3cc141fd2618\\n\\tHostApplication=powershell -command $ExclusionType;$ExclusionFile = 'ExterroExclusions.txt';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.StartsWith('#'))) { if ($ExclusionType -eq '-Folder') { Add-MpPreference -ExclusionPath $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-FileType') { Add-MpPreference -ExclusionExtension $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-Process') { Add-MpPreference -ExclusionProcess $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } } } }}else{ Write-Host Did not find exclusion file $ExclusionFile; Return;}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "78", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T13:15:44.2416806+00:00", "RecordNumber": 78 } { "PayloadData1": "HostApplication=powershell -command $ExclusionType;$ExclusionFile = 'ExterroExclusions.txt';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.StartsWith('#'))) { if ($ExclusionType -eq '-Folder') { Add-MpPreference -ExclusionPath $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-FileType') { Add-MpPreference -ExclusionExtension $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-Process') { Add-MpPreference -ExclusionProcess $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } } } }}else{ Write-Host Did not find exclusion file $ExclusionFile; Return;}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=29293460-4b52-46de-be57-3cc141fd2618\\n\\tHostApplication=powershell -command $ExclusionType;$ExclusionFile = 'ExterroExclusions.txt';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.StartsWith('#'))) { if ($ExclusionType -eq '-Folder') { Add-MpPreference -ExclusionPath $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-FileType') { Add-MpPreference -ExclusionExtension $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-Process') { Add-MpPreference -ExclusionProcess $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } } } }}else{ Write-Host Did not find exclusion file $ExclusionFile; Return;}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "79", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T13:15:44.4489179+00:00", "RecordNumber": 79 } { "PayloadData1": "HostApplication=powershell -command $ExclusionType;$ExclusionFile = 'ExterroExclusions.txt';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.StartsWith('#'))) { if ($ExclusionType -eq '-Folder') { Add-MpPreference -ExclusionPath $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-FileType') { Add-MpPreference -ExclusionExtension $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-Process') { Add-MpPreference -ExclusionProcess $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } } } }}else{ Write-Host Did not find exclusion file $ExclusionFile; Return;}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=29293460-4b52-46de-be57-3cc141fd2618\\n\\tHostApplication=powershell -command $ExclusionType;$ExclusionFile = 'ExterroExclusions.txt';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.StartsWith('#'))) { if ($ExclusionType -eq '-Folder') { Add-MpPreference -ExclusionPath $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-FileType') { Add-MpPreference -ExclusionExtension $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-Process') { Add-MpPreference -ExclusionProcess $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } } } }}else{ Write-Host Did not find exclusion file $ExclusionFile; Return;}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "80", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T13:15:44.4489179+00:00", "RecordNumber": 80 } { "PayloadData1": "HostApplication=powershell -command $ExclusionType;$ExclusionFile = 'ExterroExclusions.txt';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.StartsWith('#'))) { if ($ExclusionType -eq '-Folder') { Add-MpPreference -ExclusionPath $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-FileType') { Add-MpPreference -ExclusionExtension $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-Process') { Add-MpPreference -ExclusionProcess $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } } } }}else{ Write-Host Did not find exclusion file $ExclusionFile; Return;}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=29293460-4b52-46de-be57-3cc141fd2618\\n\\tHostApplication=powershell -command $ExclusionType;$ExclusionFile = 'ExterroExclusions.txt';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.StartsWith('#'))) { if ($ExclusionType -eq '-Folder') { Add-MpPreference -ExclusionPath $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-FileType') { Add-MpPreference -ExclusionExtension $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-Process') { Add-MpPreference -ExclusionProcess $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } } } }}else{ Write-Host Did not find exclusion file $ExclusionFile; Return;}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "81", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T13:15:44.4489179+00:00", "RecordNumber": 81 } { "PayloadData1": "HostApplication=powershell -command $ExclusionType;$ExclusionFile = 'ExterroExclusions.txt';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.StartsWith('#'))) { if ($ExclusionType -eq '-Folder') { Add-MpPreference -ExclusionPath $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-FileType') { Add-MpPreference -ExclusionExtension $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-Process') { Add-MpPreference -ExclusionProcess $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } } } }}else{ Write-Host Did not find exclusion file $ExclusionFile; Return;}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=29293460-4b52-46de-be57-3cc141fd2618\\n\\tHostApplication=powershell -command $ExclusionType;$ExclusionFile = 'ExterroExclusions.txt';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.StartsWith('#'))) { if ($ExclusionType -eq '-Folder') { Add-MpPreference -ExclusionPath $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-FileType') { Add-MpPreference -ExclusionExtension $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-Process') { Add-MpPreference -ExclusionProcess $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } } } }}else{ Write-Host Did not find exclusion file $ExclusionFile; Return;}\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=5eccdbc3-65da-4567-87d4-91c6223420d1\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "82", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T13:15:45.3707004+00:00", "RecordNumber": 82 } { "PayloadData1": "HostApplication=powershell -command $ExclusionType;$ExclusionFile = 'ExterroExclusions.txt';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.StartsWith('#'))) { if ($ExclusionType -eq '-Folder') { Add-MpPreference -ExclusionPath $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-FileType') { Add-MpPreference -ExclusionExtension $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-Process') { Add-MpPreference -ExclusionProcess $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } } } }}else{ Write-Host Did not find exclusion file $ExclusionFile; Return;}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=29293460-4b52-46de-be57-3cc141fd2618\\n\\tHostApplication=powershell -command $ExclusionType;$ExclusionFile = 'ExterroExclusions.txt';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.StartsWith('#'))) { if ($ExclusionType -eq '-Folder') { Add-MpPreference -ExclusionPath $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-FileType') { Add-MpPreference -ExclusionExtension $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } elseif ($ExclusionType -eq '-Process') { Add-MpPreference -ExclusionProcess $ItemTrimmed; Write-Host Adding $ExclusionType exclusion $ItemTrimmed; } } } }}else{ Write-Host Did not find exclusion file $ExclusionFile; Return;}\\n\\tEngineVersion=5.1.19041.3803\\n\\tRunspaceId=5eccdbc3-65da-4567-87d4-91c6223420d1\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "83", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T13:17:15.5891621+00:00", "RecordNumber": 83 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=ca90d354-ecc6-463d-83d3-1862afa8a25e\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "84", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T14:43:17.5503868+00:00", "RecordNumber": 84 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=ca90d354-ecc6-463d-83d3-1862afa8a25e\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "85", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T14:43:17.6073883+00:00", "RecordNumber": 85 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=ca90d354-ecc6-463d-83d3-1862afa8a25e\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "86", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T14:43:17.6073883+00:00", "RecordNumber": 86 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=ca90d354-ecc6-463d-83d3-1862afa8a25e\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "87", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T14:43:17.8809588+00:00", "RecordNumber": 87 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=ca90d354-ecc6-463d-83d3-1862afa8a25e\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "88", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T14:43:17.8809588+00:00", "RecordNumber": 88 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.3803\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.3803\\n\\tHostId=ca90d354-ecc6-463d-83d3-1862afa8a25e\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "89", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-17T14:43:17.8809588+00:00", "RecordNumber": 89 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\\Users\\alexis.arval-~1\\AppData\\Local\\Temp\\editPrices.ps1\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 6, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=b80ed180-c2dc-426b-b8e3-7ca0b89f5f7c\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\\\\Users\\\\alexis.arval-~1\\\\AppData\\\\Local\\\\Temp\\\\editPrices.ps1\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "90", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T9:30:01.1762896+00:00", "RecordNumber": 90 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=75cebfd0-bd64-4bb6-b3ca-a6230c97b774\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "91", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T15:44:58.1073235+00:00", "RecordNumber": 91 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=650976dc-26da-478d-8a05-f6a12e4c32f4\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "92", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T15:44:58.1073235+00:00", "RecordNumber": 92 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=75cebfd0-bd64-4bb6-b3ca-a6230c97b774\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "93", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T15:44:58.1073235+00:00", "RecordNumber": 93 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=650976dc-26da-478d-8a05-f6a12e4c32f4\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "94", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T15:44:58.1073235+00:00", "RecordNumber": 94 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=75cebfd0-bd64-4bb6-b3ca-a6230c97b774\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "95", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T15:44:58.2908625+00:00", "RecordNumber": 95 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=75cebfd0-bd64-4bb6-b3ca-a6230c97b774\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "96", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T16:32:14.1073235+00:00", "RecordNumber": 96 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=650976dc-26da-478d-8a05-f6a12e4c32f4\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "97", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T16:32:14.1073235+00:00", "RecordNumber": 97 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=75cebfd0-bd64-4bb6-b3ca-a6230c97b774\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "98", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T16:32:14.1073235+00:00", "RecordNumber": 98 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=650976dc-26da-478d-8a05-f6a12e4c32f4\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "99", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T16:32:14.1073235+00:00", "RecordNumber": 99 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=75cebfd0-bd64-4bb6-b3ca-a6230c97b774\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "100", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T16:32:14.2908625+00:00", "RecordNumber": 100 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=75cebfd0-bd64-4bb6-b3ca-a6230c97b774\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "101", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T18:01:08.1073235+00:00", "RecordNumber": 101 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=650976dc-26da-478d-8a05-f6a12e4c32f4\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "102", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T18:01:08.1073235+00:00", "RecordNumber": 102 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=75cebfd0-bd64-4bb6-b3ca-a6230c97b774\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "103", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T18:01:08.1073235+00:00", "RecordNumber": 103 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=650976dc-26da-478d-8a05-f6a12e4c32f4\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "104", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T18:01:08.1073235+00:00", "RecordNumber": 104 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=75cebfd0-bd64-4bb6-b3ca-a6230c97b774\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "105", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T18:01:08.2908625+00:00", "RecordNumber": 105 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=75cebfd0-bd64-4bb6-b3ca-a6230c97b774\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "106", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-18T18:01:08.3073235+00:00", "RecordNumber": 106 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=75cebfd0-bd64-4bb6-b3ca-a6230c97b774\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "107", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T15:44:58.2908625+00:00", "RecordNumber": 107 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=75cebfd0-bd64-4bb6-b3ca-a6230c97b774\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "108", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T15:44:58.2908625+00:00", "RecordNumber": 108 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=650976dc-26da-478d-8a05-f6a12e4c32f4\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "109", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T15:44:58.2908625+00:00", "RecordNumber": 109 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=75cebfd0-bd64-4bb6-b3ca-a6230c97b774\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "110", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T15:44:58.2908625+00:00", "RecordNumber": 110 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=650976dc-26da-478d-8a05-f6a12e4c32f4\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "111", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T15:44:58.2908625+00:00", "RecordNumber": 111 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=650976dc-26da-478d-8a05-f6a12e4c32f4\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "112", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T15:44:58.2908625+00:00", "RecordNumber": 112 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=650976dc-26da-478d-8a05-f6a12e4c32f4\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=c9755311-825f-4792-b167-0a46bcdf746f\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "113", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T15:45:00.6607690+00:00", "RecordNumber": 113 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=75cebfd0-bd64-4bb6-b3ca-a6230c97b774\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=ada5d964-bce3-4ed4-9ac5-74d3cdff1c1b\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "114", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T15:45:00.6607690+00:00", "RecordNumber": 114 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 2, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=75cebfd0-bd64-4bb6-b3ca-a6230c97b774\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=ada5d964-bce3-4ed4-9ac5-74d3cdff1c1b\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "115", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T15:45:11.2399294+00:00", "RecordNumber": 115 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=650976dc-26da-478d-8a05-f6a12e4c32f4\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=c9755311-825f-4792-b167-0a46bcdf746f\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "116", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T15:45:14.9752231+00:00", "RecordNumber": 116 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=920551ed-9b02-4c89-9c74-099156564d3b\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "117", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:03:53.2941641+00:00", "RecordNumber": 117 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=920551ed-9b02-4c89-9c74-099156564d3b\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "118", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:03:53.3338636+00:00", "RecordNumber": 118 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=920551ed-9b02-4c89-9c74-099156564d3b\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "119", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:03:53.3403700+00:00", "RecordNumber": 119 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=920551ed-9b02-4c89-9c74-099156564d3b\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "120", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:03:53.4806194+00:00", "RecordNumber": 120 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=920551ed-9b02-4c89-9c74-099156564d3b\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "121", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:03:53.4806194+00:00", "RecordNumber": 121 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=920551ed-9b02-4c89-9c74-099156564d3b\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "122", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:03:53.4972163+00:00", "RecordNumber": 122 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=920551ed-9b02-4c89-9c74-099156564d3b\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=492dfc98-4481-4e7f-948b-9cb5574e9bfd\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "123", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:03:53.9851259+00:00", "RecordNumber": 123 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command \r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=53\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=920551ed-9b02-4c89-9c74-099156564d3b\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command \\n $isBroken = 0\\n\\n # Define the root registry path\\n $ShellRegRoot = 'HKCU:\\\\Software\\\\Classes\\\\Local Settings\\\\Software\\\\Microsoft\\\\Windows\\\\Shell'\\n $bagMRURoot = $ShellRegRoot + '\\\\BagMRU'\\n $bagRoot = $ShellRegRoot + '\\\\Bags'\\n\\n # Define the target GUID tail for MSGraphHome\\n $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'\\n\\n $properties = Get-ItemProperty -Path $bagMRURoot\\n\\n foreach ($property in $properties.PSObject.Properties) {\\n if ($property.TypeNameOfValue -eq 'System.Byte[]') {\\n $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''\\n if ($hexString -eq $HomeFolderGuid) {\\n $subkey = $property.Name\\n $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\\\\' + $subkey) -Name 'NodeSlot'\\n $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\\\\' + $nodeSlot + '\\\\Shell\\\\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }\\n break\\n }\\n }\\n }\\n\\n Write-Host 'Final result:',$isBroken\\n\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=492dfc98-4481-4e7f-948b-9cb5574e9bfd\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "124", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:03:59.3038573+00:00", "RecordNumber": 124 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=29ce0801-26f7-4672-aa90-b0d1d3467530\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "125", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:04:01.4468643+00:00", "RecordNumber": 125 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=29ce0801-26f7-4672-aa90-b0d1d3467530\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "126", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:04:01.5547848+00:00", "RecordNumber": 126 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=29ce0801-26f7-4672-aa90-b0d1d3467530\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "127", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:04:01.5611354+00:00", "RecordNumber": 127 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=29ce0801-26f7-4672-aa90-b0d1d3467530\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "128", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:04:01.6640441+00:00", "RecordNumber": 128 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=29ce0801-26f7-4672-aa90-b0d1d3467530\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "129", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:04:01.6935897+00:00", "RecordNumber": 129 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=29ce0801-26f7-4672-aa90-b0d1d3467530\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "130", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:04:01.6935897+00:00", "RecordNumber": 130 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=29ce0801-26f7-4672-aa90-b0d1d3467530\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=bbd2a2bd-9b05-4402-b2bf-c34a58b2f941\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "131", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:04:02.1328223+00:00", "RecordNumber": 131 } { "PayloadData1": "HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=29\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=29ce0801-26f7-4672-aa90-b0d1d3467530\\n\\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=bbd2a2bd-9b05-4402-b2bf-c34a58b2f941\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "132", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:04:05.8374747+00:00", "RecordNumber": 132 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=284bd9f8-c7f7-4db6-b633-6dd8779fafec\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "133", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:47:08.6019629+00:00", "RecordNumber": 133 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=284bd9f8-c7f7-4db6-b633-6dd8779fafec\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "134", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:47:08.6246522+00:00", "RecordNumber": 134 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=284bd9f8-c7f7-4db6-b633-6dd8779fafec\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "135", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:47:08.6382314+00:00", "RecordNumber": 135 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=284bd9f8-c7f7-4db6-b633-6dd8779fafec\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "136", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:47:09.0958078+00:00", "RecordNumber": 136 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=284bd9f8-c7f7-4db6-b633-6dd8779fafec\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "137", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:47:09.0958078+00:00", "RecordNumber": 137 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=284bd9f8-c7f7-4db6-b633-6dd8779fafec\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "138", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:47:09.1082909+00:00", "RecordNumber": 138 } { "PayloadData1": "HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=284bd9f8-c7f7-4db6-b633-6dd8779fafec\\n\\tHostApplication=C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=6b0f1452-ac81-4f8c-ace7-e9339696ac28\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "139", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-19T16:47:09.3122482+00:00", "RecordNumber": 139 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\Users\\alexis.arval-ADMIN\\AppData\\Local\\Temp\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=c4300db0-23c6-4f96-9589-ec86405653ea\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\\\Users\\\\alexis.arval-ADMIN\\\\AppData\\\\Local\\\\Temp\\\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "140", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:22.9434245+00:00", "RecordNumber": 140 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\Users\\alexis.arval-ADMIN\\AppData\\Local\\Temp\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=c4300db0-23c6-4f96-9589-ec86405653ea\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\\\Users\\\\alexis.arval-ADMIN\\\\AppData\\\\Local\\\\Temp\\\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "141", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:22.9946074+00:00", "RecordNumber": 141 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\Users\\alexis.arval-ADMIN\\AppData\\Local\\Temp\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=c4300db0-23c6-4f96-9589-ec86405653ea\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\\\Users\\\\alexis.arval-ADMIN\\\\AppData\\\\Local\\\\Temp\\\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "142", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:23.0163205+00:00", "RecordNumber": 142 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\Users\\alexis.arval-ADMIN\\AppData\\Local\\Temp\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=c4300db0-23c6-4f96-9589-ec86405653ea\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\\\Users\\\\alexis.arval-ADMIN\\\\AppData\\\\Local\\\\Temp\\\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "143", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:23.1330004+00:00", "RecordNumber": 143 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\Users\\alexis.arval-ADMIN\\AppData\\Local\\Temp\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=c4300db0-23c6-4f96-9589-ec86405653ea\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\\\Users\\\\alexis.arval-ADMIN\\\\AppData\\\\Local\\\\Temp\\\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "144", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:23.1787488+00:00", "RecordNumber": 144 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\Users\\alexis.arval-ADMIN\\AppData\\Local\\Temp\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=c4300db0-23c6-4f96-9589-ec86405653ea\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\\\Users\\\\alexis.arval-ADMIN\\\\AppData\\\\Local\\\\Temp\\\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "145", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:23.1787488+00:00", "RecordNumber": 145 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\Users\\alexis.arval-ADMIN\\AppData\\Local\\Temp\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=c4300db0-23c6-4f96-9589-ec86405653ea\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\\\Users\\\\alexis.arval-ADMIN\\\\AppData\\\\Local\\\\Temp\\\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=12f7e6f4-7d91-4d98-bc1e-35498d46f009\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "146", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:24.2794495+00:00", "RecordNumber": 146 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\Users\\alexis.arval-ADMIN\\AppData\\Local\\Temp\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=c4300db0-23c6-4f96-9589-ec86405653ea\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\\\Users\\\\alexis.arval-ADMIN\\\\AppData\\\\Local\\\\Temp\\\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=12f7e6f4-7d91-4d98-bc1e-35498d46f009\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "147", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:25.9701008+00:00", "RecordNumber": 147 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\Users\\alexis.arval-ADMIN\\AppData\\Local\\Temp\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=e6ce8938-075f-4920-9b6e-ead5ca807739\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\\\Users\\\\alexis.arval-ADMIN\\\\AppData\\\\Local\\\\Temp\\\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "148", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:31.6610763+00:00", "RecordNumber": 148 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\Users\\alexis.arval-ADMIN\\AppData\\Local\\Temp\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=e6ce8938-075f-4920-9b6e-ead5ca807739\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\\\Users\\\\alexis.arval-ADMIN\\\\AppData\\\\Local\\\\Temp\\\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "149", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:31.7023163+00:00", "RecordNumber": 149 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\Users\\alexis.arval-ADMIN\\AppData\\Local\\Temp\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=e6ce8938-075f-4920-9b6e-ead5ca807739\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\\\Users\\\\alexis.arval-ADMIN\\\\AppData\\\\Local\\\\Temp\\\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "150", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:31.7229870+00:00", "RecordNumber": 150 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\Users\\alexis.arval-ADMIN\\AppData\\Local\\Temp\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=e6ce8938-075f-4920-9b6e-ead5ca807739\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\\\Users\\\\alexis.arval-ADMIN\\\\AppData\\\\Local\\\\Temp\\\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "151", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:31.9338052+00:00", "RecordNumber": 151 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\Users\\alexis.arval-ADMIN\\AppData\\Local\\Temp\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=e6ce8938-075f-4920-9b6e-ead5ca807739\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\\\Users\\\\alexis.arval-ADMIN\\\\AppData\\\\Local\\\\Temp\\\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "152", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:31.9338052+00:00", "RecordNumber": 152 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\Users\\alexis.arval-ADMIN\\AppData\\Local\\Temp\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=e6ce8938-075f-4920-9b6e-ead5ca807739\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\\\Users\\\\alexis.arval-ADMIN\\\\AppData\\\\Local\\\\Temp\\\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "153", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:31.9338052+00:00", "RecordNumber": 153 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\Users\\alexis.arval-ADMIN\\AppData\\Local\\Temp\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 3, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=e6ce8938-075f-4920-9b6e-ead5ca807739\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\\\Users\\\\alexis.arval-ADMIN\\\\AppData\\\\Local\\\\Temp\\\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=cb540f20-59ca-479f-9f87-bb5fa384563b\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "154", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:32.5256466+00:00", "RecordNumber": 154 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\Users\\alexis.arval-ADMIN\\AppData\\Local\\Temp\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=e6ce8938-075f-4920-9b6e-ead5ca807739\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c if ($PSVersionTable.PSEdition -ne 'Core') {$f=[System.IO.File]::ReadAllText('C:\\\\Users\\\\alexis.arval-ADMIN\\\\AppData\\\\Local\\\\Temp\\\\MAS_d172b8d5-9bad-45c6-9e0c-8f1d5a6837db.cmd') -split ':pstst';. ([scriptblock]::Create($f[1]))}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=cb540f20-59ca-479f-9f87-bb5fa384563b\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "155", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:34.2115915+00:00", "RecordNumber": 155 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c &{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=da6736f5-0505-4d08-87d2-362a9380f6b2\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c &{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "156", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:57.9216934+00:00", "RecordNumber": 156 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c &{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=da6736f5-0505-4d08-87d2-362a9380f6b2\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c &{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "157", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-20T10:49:57.9216934+00:00", "RecordNumber": 157 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c &{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=da6736f5-0505-4d08-87d2-362a9380f6b2\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c &{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "158", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:27:57.9216934+00:00", "RecordNumber": 158 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c &{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=da6736f5-0505-4d08-87d2-362a9380f6b2\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c &{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "159", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:27:58.0173109+00:00", "RecordNumber": 159 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c &{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=da6736f5-0505-4d08-87d2-362a9380f6b2\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c &{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "160", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:27:58.0372170+00:00", "RecordNumber": 160 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c &{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=da6736f5-0505-4d08-87d2-362a9380f6b2\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c &{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "161", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:27:58.0503145+00:00", "RecordNumber": 161 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c &{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=da6736f5-0505-4d08-87d2-362a9380f6b2\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c &{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=043656e7-60a5-46ef-8082-0987ac433469\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "162", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:27:58.5688886+00:00", "RecordNumber": 162 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c &{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=da6736f5-0505-4d08-87d2-362a9380f6b2\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c &{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=32;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=043656e7-60a5-46ef-8082-0987ac433469\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "163", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:00.0324866+00:00", "RecordNumber": 163 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%') -replace [string][char]0xa9, '' -replace [string][char]0xae, '' -replace [string][char]0x2122, ''\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9fc68cb1-3d26-4926-bc68-33a3fb98df39\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%') -replace [string][char]0xa9, '' -replace [string][char]0xae, '' -replace [string][char]0x2122, ''\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "164", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:05.3593402+00:00", "RecordNumber": 164 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%') -replace [string][char]0xa9, '' -replace [string][char]0xae, '' -replace [string][char]0x2122, ''\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9fc68cb1-3d26-4926-bc68-33a3fb98df39\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%') -replace [string][char]0xa9, '' -replace [string][char]0xae, '' -replace [string][char]0x2122, ''\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "165", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:05.3849344+00:00", "RecordNumber": 165 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%') -replace [string][char]0xa9, '' -replace [string][char]0xae, '' -replace [string][char]0x2122, ''\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9fc68cb1-3d26-4926-bc68-33a3fb98df39\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%') -replace [string][char]0xa9, '' -replace [string][char]0xae, '' -replace [string][char]0x2122, ''\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "166", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:05.4055408+00:00", "RecordNumber": 166 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%') -replace [string][char]0xa9, '' -replace [string][char]0xae, '' -replace [string][char]0x2122, ''\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9fc68cb1-3d26-4926-bc68-33a3fb98df39\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%') -replace [string][char]0xa9, '' -replace [string][char]0xae, '' -replace [string][char]0x2122, ''\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "167", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:05.4672735+00:00", "RecordNumber": 167 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%') -replace [string][char]0xa9, '' -replace [string][char]0xae, '' -replace [string][char]0x2122, ''\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9fc68cb1-3d26-4926-bc68-33a3fb98df39\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%') -replace [string][char]0xa9, '' -replace [string][char]0xae, '' -replace [string][char]0x2122, ''\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "168", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:05.4672735+00:00", "RecordNumber": 168 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%') -replace [string][char]0xa9, '' -replace [string][char]0xae, '' -replace [string][char]0x2122, ''\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9fc68cb1-3d26-4926-bc68-33a3fb98df39\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%') -replace [string][char]0xa9, '' -replace [string][char]0xae, '' -replace [string][char]0x2122, ''\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "169", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:05.4672735+00:00", "RecordNumber": 169 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%') -replace [string][char]0xa9, '' -replace [string][char]0xae, '' -replace [string][char]0x2122, ''\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9fc68cb1-3d26-4926-bc68-33a3fb98df39\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%') -replace [string][char]0xa9, '' -replace [string][char]0xae, '' -replace [string][char]0x2122, ''\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=509e11c8-d1ee-462a-a944-f0d3eba97789\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "170", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:05.9295355+00:00", "RecordNumber": 170 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%') -replace [string][char]0xa9, '' -replace [string][char]0xae, '' -replace [string][char]0x2122, ''\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9fc68cb1-3d26-4926-bc68-33a3fb98df39\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%') -replace [string][char]0xa9, '' -replace [string][char]0xae, '' -replace [string][char]0x2122, ''\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=509e11c8-d1ee-462a-a944-f0d3eba97789\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "171", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:06.9382889+00:00", "RecordNumber": 171 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Check this webpage for help - https://massgrave.dev/troubleshoot'}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=35cf1fd9-0ca1-4b40-9ee7-f41edf08975f\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Check this webpage for help - https://massgrave.dev/troubleshoot'}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "172", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:08.4374650+00:00", "RecordNumber": 172 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Check this webpage for help - https://massgrave.dev/troubleshoot'}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=35cf1fd9-0ca1-4b40-9ee7-f41edf08975f\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Check this webpage for help - https://massgrave.dev/troubleshoot'}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "173", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:08.4627951+00:00", "RecordNumber": 173 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Check this webpage for help - https://massgrave.dev/troubleshoot'}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=35cf1fd9-0ca1-4b40-9ee7-f41edf08975f\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Check this webpage for help - https://massgrave.dev/troubleshoot'}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "174", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:08.4813780+00:00", "RecordNumber": 174 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Check this webpage for help - https://massgrave.dev/troubleshoot'}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=35cf1fd9-0ca1-4b40-9ee7-f41edf08975f\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Check this webpage for help - https://massgrave.dev/troubleshoot'}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "175", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:08.5577622+00:00", "RecordNumber": 175 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Check this webpage for help - https://massgrave.dev/troubleshoot'}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=35cf1fd9-0ca1-4b40-9ee7-f41edf08975f\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Check this webpage for help - https://massgrave.dev/troubleshoot'}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "176", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:08.5732533+00:00", "RecordNumber": 176 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Check this webpage for help - https://massgrave.dev/troubleshoot'}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=35cf1fd9-0ca1-4b40-9ee7-f41edf08975f\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Check this webpage for help - https://massgrave.dev/troubleshoot'}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "177", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:08.5732533+00:00", "RecordNumber": 177 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Check this webpage for help - https://massgrave.dev/troubleshoot'}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=35cf1fd9-0ca1-4b40-9ee7-f41edf08975f\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Check this webpage for help - https://massgrave.dev/troubleshoot'}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=5e4c0b50-de2d-41e7-9581-6e0f50d6f17a\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "178", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:09.0354170+00:00", "RecordNumber": 178 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\r", "PayloadData2": "HostName=ServerRemoteHost\r", "PayloadData3": "HostVersion=1.0.0.0\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ServerRemoteHost\\n\\tHostVersion=1.0.0.0\\n\\tHostId=a22712d5-6250-4d9b-b0db-2b9a9a49c099\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "179", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:12.7986048+00:00", "RecordNumber": 179 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\r", "PayloadData2": "HostName=ServerRemoteHost\r", "PayloadData3": "HostVersion=1.0.0.0\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ServerRemoteHost\\n\\tHostVersion=1.0.0.0\\n\\tHostId=a22712d5-6250-4d9b-b0db-2b9a9a49c099\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "180", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:12.7986048+00:00", "RecordNumber": 180 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\r", "PayloadData2": "HostName=ServerRemoteHost\r", "PayloadData3": "HostVersion=1.0.0.0\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ServerRemoteHost\\n\\tHostVersion=1.0.0.0\\n\\tHostId=a22712d5-6250-4d9b-b0db-2b9a9a49c099\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "181", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:12.7986048+00:00", "RecordNumber": 181 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\r", "PayloadData2": "HostName=ServerRemoteHost\r", "PayloadData3": "HostVersion=1.0.0.0\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ServerRemoteHost\\n\\tHostVersion=1.0.0.0\\n\\tHostId=a22712d5-6250-4d9b-b0db-2b9a9a49c099\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "182", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:12.7986048+00:00", "RecordNumber": 182 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\r", "PayloadData2": "HostName=ServerRemoteHost\r", "PayloadData3": "HostVersion=1.0.0.0\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ServerRemoteHost\\n\\tHostVersion=1.0.0.0\\n\\tHostId=a22712d5-6250-4d9b-b0db-2b9a9a49c099\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "183", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:12.7986048+00:00", "RecordNumber": 183 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\r", "PayloadData2": "HostName=ServerRemoteHost\r", "PayloadData3": "HostVersion=1.0.0.0\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ServerRemoteHost\\n\\tHostVersion=1.0.0.0\\n\\tHostId=a22712d5-6250-4d9b-b0db-2b9a9a49c099\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "184", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:12.7986048+00:00", "RecordNumber": 184 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\r", "PayloadData2": "HostName=ServerRemoteHost\r", "PayloadData3": "HostVersion=1.0.0.0\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ServerRemoteHost\\n\\tHostVersion=1.0.0.0\\n\\tHostId=a22712d5-6250-4d9b-b0db-2b9a9a49c099\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=c15b1946-f145-44bc-b3b5-993ce76885d1\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "185", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:12.7986048+00:00", "RecordNumber": 185 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\r", "PayloadData2": "HostName=ServerRemoteHost\r", "PayloadData3": "HostVersion=1.0.0.0\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ServerRemoteHost\\n\\tHostVersion=1.0.0.0\\n\\tHostId=a22712d5-6250-4d9b-b0db-2b9a9a49c099\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=c15b1946-f145-44bc-b3b5-993ce76885d1\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "186", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:16.7947273+00:00", "RecordNumber": 186 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Check this webpage for help - https://massgrave.dev/troubleshoot'}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=35cf1fd9-0ca1-4b40-9ee7-f41edf08975f\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 30)) {write-host 'sppsvc is not working correctly. Check this webpage for help - https://massgrave.dev/troubleshoot'}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=5e4c0b50-de2d-41e7-9581-6e0f50d6f17a\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "187", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:16.8637964+00:00", "RecordNumber": 187 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\Windows\\System32\\spp\\store\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9d1a3197-ecf8-4b40-aea6-517d276c6ad3\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\\\Windows\\\\System32\\\\spp\\\\store\\\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "188", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:21.1448660+00:00", "RecordNumber": 188 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\Windows\\System32\\spp\\store\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9d1a3197-ecf8-4b40-aea6-517d276c6ad3\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\\\Windows\\\\System32\\\\spp\\\\store\\\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "189", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:21.1564947+00:00", "RecordNumber": 189 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\Windows\\System32\\spp\\store\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9d1a3197-ecf8-4b40-aea6-517d276c6ad3\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\\\Windows\\\\System32\\\\spp\\\\store\\\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "190", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:21.1677818+00:00", "RecordNumber": 190 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\Windows\\System32\\spp\\store\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9d1a3197-ecf8-4b40-aea6-517d276c6ad3\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\\\Windows\\\\System32\\\\spp\\\\store\\\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "191", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:21.2103893+00:00", "RecordNumber": 191 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\Windows\\System32\\spp\\store\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9d1a3197-ecf8-4b40-aea6-517d276c6ad3\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\\\Windows\\\\System32\\\\spp\\\\store\\\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "192", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:21.2103893+00:00", "RecordNumber": 192 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\Windows\\System32\\spp\\store\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9d1a3197-ecf8-4b40-aea6-517d276c6ad3\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\\\Windows\\\\System32\\\\spp\\\\store\\\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "193", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:21.2103893+00:00", "RecordNumber": 193 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\Windows\\System32\\spp\\store\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9d1a3197-ecf8-4b40-aea6-517d276c6ad3\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\\\Windows\\\\System32\\\\spp\\\\store\\\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=05a9e1f7-3d99-485a-92de-9ef1b934045d\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "194", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:21.7500331+00:00", "RecordNumber": 194 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\Windows\\System32\\spp\\store\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Certificate, Started, \\tProviderName=Certificate\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9d1a3197-ecf8-4b40-aea6-517d276c6ad3\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\\\Windows\\\\System32\\\\spp\\\\store\\\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=05a9e1f7-3d99-485a-92de-9ef1b934045d\\n\\tPipelineId=12\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "195", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:24.4724376+00:00", "RecordNumber": 195 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\Windows\\System32\\spp\\store\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=17\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=9d1a3197-ecf8-4b40-aea6-517d276c6ad3\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'C:\\\\Windows\\\\System32\\\\spp\\\\store\\\\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=05a9e1f7-3d99-485a-92de-9ef1b934045d\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "196", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:24.9541047+00:00", "RecordNumber": 196 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SYSTEM\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 4, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=af6cf50f-cbdf-46da-b0f0-dd83735a1664\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SYSTEM\\\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "197", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:25.6916415+00:00", "RecordNumber": 197 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SYSTEM\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=af6cf50f-cbdf-46da-b0f0-dd83735a1664\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SYSTEM\\\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "198", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:25.7138767+00:00", "RecordNumber": 198 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SYSTEM\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=af6cf50f-cbdf-46da-b0f0-dd83735a1664\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SYSTEM\\\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "199", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:25.7138767+00:00", "RecordNumber": 199 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SYSTEM\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=af6cf50f-cbdf-46da-b0f0-dd83735a1664\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SYSTEM\\\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "200", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:25.7507103+00:00", "RecordNumber": 200 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SYSTEM\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=af6cf50f-cbdf-46da-b0f0-dd83735a1664\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SYSTEM\\\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "201", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:25.7507103+00:00", "RecordNumber": 201 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SYSTEM\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=af6cf50f-cbdf-46da-b0f0-dd83735a1664\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SYSTEM\\\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "202", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:25.7593627+00:00", "RecordNumber": 202 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SYSTEM\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=af6cf50f-cbdf-46da-b0f0-dd83735a1664\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SYSTEM\\\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=2da7f31f-5399-42b1-8aed-1a0ff87eb448\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "203", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:26.2235128+00:00", "RecordNumber": 203 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SYSTEM\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Certificate, Started, \\tProviderName=Certificate\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=af6cf50f-cbdf-46da-b0f0-dd83735a1664\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SYSTEM\\\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=2da7f31f-5399-42b1-8aed-1a0ff87eb448\\n\\tPipelineId=12\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "204", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:28.0599859+00:00", "RecordNumber": 204 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SYSTEM\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=17\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=af6cf50f-cbdf-46da-b0f0-dd83735a1664\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SYSTEM\\\\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=2da7f31f-5399-42b1-8aed-1a0ff87eb448\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "205", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:28.4035060+00:00", "RecordNumber": 205 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=94ecd1e1-6944-469f-9799-d194589ab6fd\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "206", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:29.1509816+00:00", "RecordNumber": 206 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=94ecd1e1-6944-469f-9799-d194589ab6fd\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "207", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-21T13:28:29.1633718+00:00", "RecordNumber": 207 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=94ecd1e1-6944-469f-9799-d194589ab6fd\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "208", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-22T11:14:29.1724622+00:00", "RecordNumber": 208 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"FileSystem, Started, \\tProviderName=FileSystem\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=7\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=94ecd1e1-6944-469f-9799-d194589ab6fd\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "209", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-22T11:14:29.2140929+00:00", "RecordNumber": 209 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Function, Started, \\tProviderName=Function\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=9\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=94ecd1e1-6944-469f-9799-d194589ab6fd\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "210", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-22T11:14:29.2140929+00:00", "RecordNumber": 210 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Variable, Started, \\tProviderName=Variable\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=11\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=94ecd1e1-6944-469f-9799-d194589ab6fd\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "211", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-22T11:14:29.2140929+00:00", "RecordNumber": 211 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from None to Available", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Available, None, \\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=94ecd1e1-6944-469f-9799-d194589ab6fd\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=d05d2bf0-baad-41e0-bf7c-4431b20f0a3e\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 400, "EventRecordId": "212", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-22T11:14:29.6373770+00:00", "RecordNumber": 212 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Certificate, Started, \\tProviderName=Certificate\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=15\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=94ecd1e1-6944-469f-9799-d194589ab6fd\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=d05d2bf0-baad-41e0-bf7c-4431b20f0a3e\\n\\tPipelineId=12\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "213", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-22T11:14:31.3920742+00:00", "RecordNumber": 213 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\sppsvc Deny')) {Exit 2}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Engine state is changed from Available to Stopped", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Stopped, Available, \\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=17\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=94ecd1e1-6944-469f-9799-d194589ab6fd\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $acl = (Get-Acl 'HKLM:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\\\\\\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\\\\\\\sppsvc Deny')) {Exit 2}\\n\\tEngineVersion=5.1.19041.6093\\n\\tRunspaceId=d05d2bf0-baad-41e0-bf7c-4431b20f0a3e\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 403, "EventRecordId": "214", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-22T11:14:31.6834633+00:00", "RecordNumber": 214 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\\S-1-5-20\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform\\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Registry, Started, \\tProviderName=Registry\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=1\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=889c1a57-c501-4149-a4fc-10c8afc732d4\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\\\\S-1-5-20\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SoftwareProtectionPlatform\\\\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\\\\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "215", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-22T11:14:32.1681948+00:00", "RecordNumber": 215 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\\S-1-5-20\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform\\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Alias, Started, \\tProviderName=Alias\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=3\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=889c1a57-c501-4149-a4fc-10c8afc732d4\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\\\\S-1-5-20\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SoftwareProtectionPlatform\\\\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\\\\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "216", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-22T11:14:32.1681948+00:00", "RecordNumber": 216 } { "PayloadData1": "HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -c $netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\\S-1-5-20\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform\\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}\r", "PayloadData2": "HostName=ConsoleHost\r", "PayloadData3": "HostVersion=5.1.19041.6093\r", "MapDescription": "Provider is Started", "ChunkNumber": 5, "Computer": "DESKTOP-RHCJTVF", "Payload": "{\"EventData\":{\"Data\":\"Environment, Started, \\tProviderName=Environment\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=5\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.19041.6093\\n\\tHostId=889c1a57-c501-4149-a4fc-10c8afc732d4\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -nop -c $netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\\\\S-1-5-20\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SoftwareProtectionPlatform\\\\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\\\\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}\\n\\tEngineVersion=\\n\\tRunspaceId=\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=\",\"Binary\":\"\"}}", "Channel": "Windows PowerShell", "Provider": "PowerShell", "EventId": 600, "EventRecordId": "217", "ProcessId": 0, "ThreadId": 0, "Level": "Info", "Keywords": "0x80000000000000", "SourceFile": "C:\\Users\\ForWinSic\\Documents\\FIZZ-IC\\Windows Artefacts\\windows_powershell.evtx", "ExtraDataOffset": 0, "HiddenRecord": false, "TimeCreated": "2024-11-22T11:14:32.1681948+00:00", "RecordNumber": 217 }