07/23/2021 09:48:45 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40961 EventType=4 Type=Information ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Start RecordNumber=10 Keywords=None Message=PowerShell console is starting up 07/23/2021 09:48:53 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=53504 EventType=4 Type=Information ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=PowerShell Named Pipe IPC OpCode=Open (async) RecordNumber=11 Keywords=None Message=Windows PowerShell has started an IPC listening thread on process: 7344 in AppDomain: DefaultAppDomain. 07/23/2021 09:48:58 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40962 EventType=4 Type=Information ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Stop RecordNumber=12 Keywords=None Message=PowerShell console is ready for user input 07/23/2021 09:49:20 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=13 Keywords=None Message=Creating Scriptblock text (1 of 1): New-Item -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Force ScriptBlock ID: 87acc219-2e13-468b-b90b-cf9265090c23 Path: 07/23/2021 09:49:24 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=16 Keywords=None Message=Creating Scriptblock text (1 of 1): New-Item -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Force ScriptBlock ID: b83e2c32-1114-45c6-a238-5fc54a742669 Path: 07/23/2021 09:49:24 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=15 Keywords=None Message=Creating Scriptblock text (1 of 1): New-Item -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Force ScriptBlock ID: c81b5f25-48de-42e0-a93b-8ee53b424f8a Path: 07/23/2021 09:49:24 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=14 Keywords=None Message=Creating Scriptblock text (1 of 1): New-Item -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Force ScriptBlock ID: 22c70190-101d-4249-92de-ee55a5d1ddcc Path: 07/23/2021 09:50:04 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=3 Type=Warning ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=17 Keywords=None Message=Creating Scriptblock text (1 of 1): Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1 -Force ScriptBlock ID: f3dfa817-c6b2-4cba-b7a1-5d8734fcd0b5 Path: 07/23/2021 09:50:25 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40961 EventType=4 Type=Information ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Start RecordNumber=18 Keywords=None Message=PowerShell console is starting up 07/23/2021 09:50:26 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=53504 EventType=4 Type=Information ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=PowerShell Named Pipe IPC OpCode=Open (async) RecordNumber=19 Keywords=None Message=Windows PowerShell has started an IPC listening thread on process: 3552 in AppDomain: DefaultAppDomain. 07/23/2021 09:50:29 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=21 Keywords=None Message=Creating Scriptblock text (1 of 1): prompt ScriptBlock ID: 305f1552-44a0-42ea-ad73-f62e2f3ce1eb Path: 07/23/2021 09:50:29 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40962 EventType=4 Type=Information ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Stop RecordNumber=20 Keywords=None Message=PowerShell console is ready for user input 07/23/2021 09:50:51 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=22 Keywords=None Message=Creating Scriptblock text (1 of 1): Get-LocalGroup ScriptBlock ID: 05b7c5b9-7557-4a22-9b70-d62f27263c01 Path: 07/23/2021 09:50:54 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=23 Keywords=None Message=Creating Scriptblock text (1 of 1): prompt ScriptBlock ID: de33e734-b423-4725-9708-60e6286b8938 Path: 07/23/2021 10:01:13 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40961 EventType=4 Type=Information ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Start RecordNumber=24 Keywords=None Message=PowerShell console is starting up 07/23/2021 10:01:14 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=53504 EventType=4 Type=Information ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=PowerShell Named Pipe IPC OpCode=Open (async) RecordNumber=25 Keywords=None Message=Windows PowerShell has started an IPC listening thread on process: 3508 in AppDomain: DefaultAppDomain. 07/23/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=27 Keywords=None Message=Creating Scriptblock text (1 of 1): prompt ScriptBlock ID: 7aed5214-22bb-4793-899e-b76cddc8fd78 Path: 07/23/2021 10:01:15 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=40962 EventType=4 Type=Information ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=PowerShell Console Startup OpCode=Stop RecordNumber=26 Keywords=None Message=PowerShell console is ready for user input 07/23/2021 10:01:17 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=29 Keywords=None Message=Creating Scriptblock text (1 of 1): prompt ScriptBlock ID: 507253f6-a1a0-404e-8855-d089dd7302b0 Path: 07/23/2021 10:01:17 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=28 Keywords=None Message=Creating Scriptblock text (1 of 1): [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SAM", "c:\Windows\Temp\sam.copy") ScriptBlock ID: 7596e7ab-2205-4fdb-981e-3bf7a0692164 Path: 07/23/2021 10:01:24 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=31 Keywords=None Message=Creating Scriptblock text (1 of 1): prompt ScriptBlock ID: d9a55441-cd8d-48c9-8758-9b5a26bd611c Path: 07/23/2021 10:01:24 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=30 Keywords=None Message=Creating Scriptblock text (1 of 1): [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM", "c:\Windows\Temp\system.copy") ScriptBlock ID: 563481d7-8dda-469c-af48-379b6056cc5b Path: 07/23/2021 10:01:31 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=33 Keywords=None Message=Creating Scriptblock text (1 of 1): prompt ScriptBlock ID: 4f96cc30-2a89-4758-ab65-8382d5d58afd Path: 07/23/2021 10:01:31 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=DESKTOP-0UEGVUM User=NOT_TRANSLATED Sid=S-1-5-21-2775050108-321880839-2455865217-1001 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=32 Keywords=None Message=Creating Scriptblock text (1 of 1): [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SECURITY", "c:\Windows\Temp\security.copy") ScriptBlock ID: abd7913e-6587-4b8e-bcfc-47c5874d3cf6 Path: